Include the issuance policies for Trusted Platform (TPM) Key Attestation in a certification authority certificate.

Author Uwe GradeneggerPosted on Categories Certificate usageTags , , ,

If you install an issuing CA and do not explicitly request an issuance policy, the resulting CA certificate does not contain an issuance policy.

If you want to include the issuance policies for Trusted Platform (TPM) Key Attestation in the certification authority certificate, you must proceed as follows.

The following OIDs are used for the TPM Key Attestation.

OIDMeaning
1.3.6.1.4.1.311.21.32TPM Key Attestation: User Credentials: (Low Assurance)
1.3.6.1.4.1.311.21.31TPM Key Attestation: Endorsement Certificate: (Medium Assurance)
1.3.6.1.4.1.311.21.30TPM Key Attestation: Endorsement Key: (High Assurance)

Implementation

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

To include issuance policies in a certification authority certificate, it is necessary to submit a new certificate request and issue a new certification authority certificate. Since the existing certificate is signed, it cannot be changed.

In order for the issuance policy to be included in the Certificate Enrollment, the C:\Windows\capolicy.inf file must be edited before the application is submitted. The following paragraph must be included: 

[PolicyStatementExtension]
Policies=TpmLowAssurancePolicy,TpmMediumAssurancePolicy,TpmHighAssurancePolicy

TPM Key Attestation: User Credentials (Low Assurance)
[TpmLowAssurancePolicy.]
OID=1.3.6.1.4.1.311.21.32

TPM Key Attestation: Endorsement Certificate (Medium Assurance)
[TpmMediumAssurancePolicy.]
OID=1.3.6.1.4.1.311.21.31

TPM Key Attestation: Endorsement Key (High Assurance)
[TpmHighAssurancePolicy.]
OID=1.3.6.1.4.1.311.21.30

A new certificate request can then be submitted.

After the certificate request is signed by the parent certification authority, the new certification authority certificate should include the issuance policies for Trusted Platform (TPM) Key Attestation.

Related links:

3 thoughts on “Die Ausstellungsrichtlinien (Issuance Policies) für Trusted Platform (TPM) Key Attestation in ein Zertifizierungsstellen-Zertifikat aufnehmen”

  1. Pingback: Details about the event with ID 53 of the source Microsoft-Windows-CertificationAuthority - Uwe Gradenegger
  2. Pingback: Include the wildcard issuance policy (All Issuance Policies) in a Certification Authority certificate - Uwe Gradenegger
  3. Pingback: Configuring the Trusted Platform Module (TPM) Key Attestation - Uwe Gradenegger

Comments are closed.

en_USEnglish
de_DEDeutsch en_USEnglish