Include the wildcard issuance policy (All Issuance Policies) in a certification authority certificate

Author Uwe GradeneggerPosted on Categories Certificate usageTags , ,

If you install an issuing CA and do not explicitly request an issuance policy, the resulting CA certificate will not contain an issuance policy.

If you want to include the wildcard issuance policy (All Issuance Policies) in the certification authority certificate, you must proceed as follows:

To include issuance policies in a certification authority certificate, it is necessary to submit a new certificate request and issue a new certification authority certificate. Since the existing certificate is signed, it cannot be changed.

In order for the issuance policy to be included in the Certificate Enrollment, the C:\Windows\capolicy.inf file must be edited before the application is submitted. The following paragraph must be included:

[PolicyStatementExtension]
Policies=AnyPolicy

; All Issuance Policies
[AnyPolicy]
OID= 2.5.29.32.0

A new certificate request can then be submitted.

After the certificate request is signed by the parent certification authority, the new certification authority certificate should include the wildcard issuance policy.

Related links:

2 thoughts on “Die Wildcard Ausstellungsrichtlinie (All Issuance Policies) in ein Zertifizierungsstellen-Zertifikat aufnehmen”

  1. Pingback: Include the Issuance Policies for Trusted Platform (TPM) Key Attestation in a Certification Authority Certificate - Uwe Gradenegger
  2. Pingback: Configuring the Trusted Platform Module (TPM) Key Attestation - Uwe Gradenegger

Comments are closed.

en_USEnglish
de_DEDeutsch en_USEnglish