If you install an issuing CA and do not explicitly request an issuance policy, the resulting CA certificate will not contain an issuance policy.
If you want to include the wildcard issuance policy (All Issuance Policies) in the certification authority certificate, you must proceed as follows:
Implementation
Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.
To include issuance policies in a certification authority certificate, it is necessary to submit a new certificate request and issue a new certification authority certificate. Since the existing certificate is signed, it cannot be changed.
In order for the issuance policy to be included in the Certificate Enrollment, the C:\Windows\capolicy.inf file must be edited before the application is submitted. The following paragraph must be included:
[PolicyStatementExtension]
Policies=AnyPolicy
; All Issuance Policies
[AnyPolicy]
OID= 2.5.29.32.0
A new certificate request can then be submitted.
After the certificate request is signed by the parent certification authority, the new certification authority certificate should include the wildcard issuance policy.
English 
Deutsch
2 thoughts on “Die Wildcard Ausstellungsrichtlinie (All Issuance Policies) in ein Zertifizierungsstellen-Zertifikat aufnehmen”
Comments are closed.