I have a standalone root CA (RootCA) and an enterprise subordinate CA (SubCA). Both Windows Server 2019.
The RootCA seems to ignore the CAPolicy.inf file configuration settings, when attempting to sign the SubCA's CSR, as shown in the pending request properties view:
The CAPolicy.inf on the RootCA (%SystemRoot%\CAPolicy.inf) is this:
[Version]
Signature= "$Windows NT$"
[Strings]
szOID_KEY_USAGE = "2.5.29.15"
[Extensions]
%szOID_KEY_USAGE% = AwIBhg==
Critical = %szOID_KEY_USAGE%
During RootCA installation, the CAPolicy.inf was used to make the KeyUsage extension of the root certificate critical. This can be seen in the root certificate properties as well as in the certocm.log: Opened Policy inf: C:\Windows\CAPolicy.inf
The documentation states
The CAPolicy.inf is a configuration file that defines the extensions, constraints, and other configuration settings that are applied to a root CA certificate and all certificates issued by the root CA.
So, why does the RootCA ignore the CAPolicy.inf when issuing a (SubCA) certificate, despite the docs stating otherwise?
If the CSR has the
BasicConstraintextension set toCA=Truethe CA will default to what you see above. You can override this by running the following on the signing CA (the Root):Restart the service, then try again.