I have a CA server which I’m using to test a production design, unfortunately NDES will not install and fails whilst trying to issue the RA certificates (Exchange Enrollment Agent & CEP Encryption). Following further testing I’m comfortable that this is a policy issue, but I’m unable to resolve.
A CAPolicy.inf file has a couple of OIDs added, these are:
NOTE: I’ve modified the OIDs for this example.
[LegalPolicy]
OID = 1.3.6.1.1.1.1.1
Notice = "This is my legal Notice"
URL = http://my.policy.statement.com/cps.asp
[EnhancedKeyUsageExtension]
OID – 1.821.1.1.1.1.1
Whilst trying to install NDES on the CA server I receive an invalid policy message; see below:
Active Directory Certificate Services denied request 3 because The certificate has invalid policy. 0x800b0113 (-2146762477). The request was for <CA Server>. Additional information: Error Constructing or Publishing Certificate Invalid Application Policies: 1.3.6.1.4.1.311.20.2.1
I can only assume is a result of the OID associated the NDES service certificates do not match the OIDs specified in the CAPolicy.inf file.
Is my configuration valid? I want to set an OID in the legal policy which has been issued to my organisation, but also set an OID in a custom certificate template under Issuance Policy as mandated by a project team. In order to ensure the CA is used for only this certificate type, I have used the [EnhancedKeyUsageExtension]. However, I’m not completely sure this is correct use of OIDs in the CAPolicy.inf file.