Continuing my 2-post series about Certificate Policies certificate extension. In the first part we covered theoretical questions and common design scenarios. In this post I will show how you can add Certificate Policies extension in CA and end-entity certificates.

Certificate Policies extension in CA certificates

When installing Windows CA, either, via Server Manager UI, or PowerShell, there is no way to provide additional information to include in the CA certificate. To include this information, Windows supports a special CA configuration file named “CAPolicy.inf” which must be saved in the %systemroot% directory (usually, it is C:\Windows). CA installation code reads this file in two cases:

1. During new CA installation;
2. During existing CA certificate renewal.

CAPolicy.inf syntax is another story, so we will focus on our subject only. Main section in the INF file is [PolicyStatementExtension] and has the following syntax:

Part2: Certificate Policies extension – all you should know (part 2)

In this post I’ll discuss about Certificate Policies certificate extension. This article assumes that you have understanding about certificate chaining engine basics.

Intro

Not all certificates are the same or issued in the same way. Some certificates are issued in an automated way, some with minimal validation, but some with strong validation and even by requiring a face-to-face meeting. What is the difference here? In these case we usually say that these certificates were issued under different issuance policies.

A company may have certificate templates that are configured to require user key archival (for backup purposes) in the CA database. Another template requires that client certificates must be stored on smart cards. Thousands cases and each case may have a distinct issuance policy. Users should be aware about them. How? As per best practices, a company should have a written policy about their PKI usage. Your policy may be implemented as a single web page (or web site) or downloadable document and has common name: Certificate Practice Statement (CPS). IETF has developed a framework that helps PKI administrators to effectively create a CPS document. CPS Framework is defined in RFC3647. If certificate was issued under specific policy, this information shall be included in the certificate: Certificate Policies extension.

Hello again!

The problem

Recently I had a dialog with Mark B. Cooper when he reported a weird issue with Install-ADCSCertificationAuthority cmdlet. To repro this issue, prepare a new server without any network adapter (even without a loopback adapter) and run Install-AdcsCertificationAuthority cmdlet without parameters (implies default settings) and you will get:

PS C:\Users\Administrator> Install-AdcsCertificationAuthority

Confirm
Are you sure you want to perform this action?
Performing the operation "Install-AdcsCertificationAuthority" on target "WIN-F6MCGE586LQ".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"):
Install-AdcsCertificationAuthority : Active Directory Certificate Services setup failed with the following error:  The
network location cannot be reached. For information about network troubleshooting, see Windows Help. 0x800704cf
(WIN32: 1231 ERROR_NETWORK_UNREACHABLE)
At line:1 char:1
+ Install-AdcsCertificationAuthority
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Install-AdcsCertificationAuthority], CertificationAuthoritySetupE
   xception
    + FullyQualifiedErrorId : Install,Microsoft.CertificateServices.Deployment.Commands.CA.InstallADCSCertificationAut
   hority

PS C:\Users\Administrator>

Hello again, PowerShell CryptoGuy is back!

I was impressed how many feedback I received on my proof of concept version of Enterprise PKI health verifier: Enterprise PKI (pkiview.msc) PowerShell Edition (PoC). I carefully reviewed each feedback and implemented almost all requests.

New year and new post :)

New release

Yesterday I released a new version of PS Cmdlet Help Editor on CodePlex. Essentially this version is the same as previously published beta. Refer to this post to get details about new version: PS Cmdlet Help Editor v3.3.5.0 Beta. I just addressed and fixed issues reported by users and believe, now it is safe for use.