When a PKCS#10 request for a CA certificate is generated, a pre-defined set of certificate attributes is included. This blog entry explains how to eliminate attributes that would go into the CA certificate request by default.
Imagine that you are setting up a new subordinate CA where the parent CA is a non Windows CA. The parent CA may not support or accept certificate attributes like the certificate template name . To exclude an attribute from the CA certificate request you must create a capolicy.inf file in the %WINDIR% directory before creating or renewing a CA certificate. The capolicy.inf file lists the OIDs of the certificate extensions to be excluded in the Extensions section. See the Microsoft Knowledgebase for a list of Object IDs associated with Microsoft cryptography .
The following sample caplicy.inf file would exclude the CA version and the certificate template name from the CA certificate request.