Suppressing certificate attributes in a CA certificate request

Published Jan 24 2020 01:44 PM 149 Views

First published on TECHNET on Oct 05, 2008

When a PKCS#10 request for a CA certificate is generated, a pre-defined set of certificate attributes is included. This blog entry explains how to eliminate attributes that would go into the CA certificate request by default.

Imagine that you are setting up a new subordinate CA where the parent CA is a non Windows CA. The parent CA may not support or accept certificate attributes like the certificate template name . To exclude an attribute from the CA certificate request you must create a capolicy.inf file in the %WINDIR% directory before creating or renewing a CA certificate. The capolicy.inf file lists the OIDs of the certificate extensions to be excluded in the Extensions section. See the Microsoft Knowledgebase for a list of Object IDs associated with Microsoft cryptography .

The following sample caplicy.inf file would exclude the CA version and the certificate template name from the CA certificate request.

Signature= "$Windows NT$"

[Extensions] = =

Note: Certificate attributes should only be removed from a certificate request if there is real demand for it. Never do it just for cosmetics!

When working with a capolicy.inf file you should be aware of the behavior described in the Microsoft Knowledgebase article Custom extensions in the CAPolicy.inf file do not take effect after you renew the root CA certifica... . The article applies for Root and Subordinate CAs running on Windows Server 2003 SP1 or Windows Server 2003 SP2.

Version history
Last update:
‎Feb 20 2020 02:53 PM
Updated by: