Click here to get back home

Whats wrong with my CAPolicy.inf file?
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Whats wrong with my CAPolicy.inf file? Joe 07-06-2006
Posted by Joe on July 6, 2006, 3:35 am
Please log in for more thread options
 Hello there - I am creating a standalone Root CA (ie, offline), and created
a very simple CAPolicy.inf. It seems to be ignoring the settings in the inf
file. I have already checked to make sure its not CAPolicy.inf.txt :-)

The errors below from certmmc.log seem to indicate the file is found, but
that lines that are there are not read. I have looked at it for a while to
see if there is any kind of syntax error, but nothing pops out at me. Like
I said, the file is really simple.

Thanks for any help,

Joe


Here is the Inf file:

[Version]
Signature="$Windows NT$"

[certsrv_server]
Renewalkeylength=4096
RenewalValidityPeriodUnits=10
RenewalValidityPeriod=years

CRLPeriod=weeks
CRLPeriodUnits=26
CRLDeltaPeriodUnits=0
CRLDeltaPeriod=days

[CRLDistributionPoint]
Empty=True

[AuthorityInformationAccess]
Empty=True

[BasicConstraintsExtension]
PathLength=1



And here is the output from certmmc.log:


========================================================================
402.420.948: Begin: 7/6/2006 2:28 PM 54.718s
914.1439.0: certcli.dll: 5.2.3790.1830 retail (srv03_sp1_rtm.050324-1447)
914.1439.0: certmmc.dll: 5.2.3790.1830 retail (srv03_sp1_rtm.050324-1447)
402.315.949: End: 7/6/2006 2:28 PM 54.750s

========================================================================
402.420.948: Begin: 7/6/2006 2:31 PM 40.718s
914.1439.0: certcli.dll: 5.2.3790.1830 retail (srv03_sp1_rtm.050324-1447)
914.1439.0: certmmc.dll: 5.2.3790.1830 retail (srv03_sp1_rtm.050324-1447)
201.1061.237: Load Old Certificate: narraSoft Philippines Inc. Root CA(1):
0x1(1)
401.1276.946: Opened Policy inf: C:\WINDOWS\CAPolicy.inf
202.4431.271: Generate Keys: narraSoft Philippines Inc. Root CA(1):
Microsoft Strong Cryptographic Provider: 0x1000(4096)
202.2859.288: Set Key Security
401.1276.946: Opened Policy inf: C:\WINDOWS\CAPolicy.inf
401.1299.964: Closed Policy inf
401.1923.945: Policy inf missing section or key: certsrv_server:
RenewalValidityPeriodUnits: The required line was not found in the INF.
0x800f0102 (-2146500350)
201.1245.287: INF file error: The required line was not found in the INF.
0x800f0102 (-2146500350)
401.2345.945: Policy inf missing section or key: CRLDistributionPoint: URL:
The required line was not found in the INF. 0x800f0102 (-2146500350)
201.1245.287: INF file error: [CRLDistributionPoint] URL =: The required
line was not found in the INF. 0x800f0102 (-2146500350)
401.1532.945: Policy inf missing section or key: PolicyStatementExtension:
Policies: INF file line not found 0xe0000102 (INF: -536870654)
401.1607.944: Policy Statement Extension: INF file line not found 0xe0000102
(INF: -536870654)
401.1532.945: Policy inf missing section or key: CAPolicy: Policies: INF
file line not found 0xe0000102 (INF: -536870654)
401.1607.944: Policy Statement Extension: INF file line not found 0xe0000102
(INF: -536870654)
201.1245.287: INF file error: [PolicyStatementExtension] Policies =: INF
file line not found 0xe0000102 (INF: -536870654)
201.1245.287: INF file error: [CrossCertificateDistributionPointsExtension]:
INF file line not found 0xe0000102 (INF: -536870654)
401.2345.945: Policy inf missing section or key: AuthorityInformationAccess:
URL: The required line was not found in the INF. 0x800f0102 (-2146500350)
201.1245.287: INF file error: [AuthorityInformationAccess] URL =: The
required line was not found in the INF. 0x800f0102 (-2146500350)
401.2345.945: Policy inf missing section or key: EnhancedKeyUsageExtension:
OID: INF file line not found 0xe0000102 (INF: -536870654)
201.1245.287: INF file error: [EnhancedKeyUsageExtension] OID =: INF file
line not found 0xe0000102 (INF: -536870654)
201.1245.287: INF file error: INF file line not found 0xe0000102
(INF: -536870654)
201.1626.238: Clone Root Certificate
401.2345.945: Policy inf missing section or key: certsrv_server: The
required line was not found in the INF. 0x800f0102 (-2146500350)
201.1245.287: INF file error: [certsrv_server]: The required line was not
found in the INF. 0x800f0102 (-2146500350)
202.3514.230: Save certificate and Keys
201.365.232: Finish Supended Setup
201.782.234: Setup complete
201.2763.242: Renew CA -- new keys: narraSoft Philippines Inc. Root CA
401.1299.964: Closed Policy inf: [certsrv_server]



Posted by Brian Komar on July 7, 2006, 11:43 pm
Please log in for more thread options
 Wow... does this text look familiar <G>.
My guess is that you copied and pasted this from the CD from my book or
from the PDF document. My guess is that the "_" character was translated
to an different character.
Try retyping the section header for [certsrv_server]
Brian


jwdaigle@nospam.nospam says...
> Hello there - I am creating a standalone Root CA (ie, offline), and created
> a very simple CAPolicy.inf. It seems to be ignoring the settings in the inf
> file. I have already checked to make sure its not CAPolicy.inf.txt :-)
>
> The errors below from certmmc.log seem to indicate the file is found, but
> that lines that are there are not read. I have looked at it for a while to
> see if there is any kind of syntax error, but nothing pops out at me. Like
> I said, the file is really simple.
>
> Thanks for any help,
>
> Joe
>
>
> Here is the Inf file:
>
> [Version]
> Signature="$Windows NT$"
>
> [certsrv_server]
> Renewalkeylength=4096
> RenewalValidityPeriodUnits=10
> RenewalValidityPeriod=years
>
> CRLPeriod=weeks
> CRLPeriodUnits=26
> CRLDeltaPeriodUnits=0
> CRLDeltaPeriod=days
>
> [CRLDistributionPoint]
> Empty=True
>
> [AuthorityInformationAccess]
> Empty=True
>
> [BasicConstraintsExtension]
> PathLength=1
>
>
>
> And here is the output from certmmc.log:
>
>
> ========================================================================
> 402.420.948: Begin: 7/6/2006 2:28 PM 54.718s
> 914.1439.0: certcli.dll: 5.2.3790.1830 retail (srv03_sp1_rtm.050324-1447)
> 914.1439.0: certmmc.dll: 5.2.3790.1830 retail (srv03_sp1_rtm.050324-1447)
> 402.315.949: End: 7/6/2006 2:28 PM 54.750s
>
> ========================================================================

Posted by Joe on July 8, 2006, 6:07 am
Please log in for more thread options
Ya, it should look VERY familiar :-)

Its cool that you participate in this forum, Im sure its appreciated by all
of us learning the stuff.

As far as your response, no, sorry, I actually typed it myself. I typed an
underscore character for that.

Any other guesses? I am quite stumped as to what could be wrong.
Especially considering the file is so simple.

I checked for the obvious screwups, but nothing pops out at me - file is not
named CAPolicy.inf.txt, permissions on the file are readable by everyone,
the file is in C:\Windows. As I mentioned, it appears that the file was
found, and opened, but for some reason it cannot be parsed correctly?

Thanks for any help,

Joe

> Wow... does this text look familiar <G>.
> My guess is that you copied and pasted this from the CD from my book or
> from the PDF document. My guess is that the "_" character was translated
> to an different character.
> Try retyping the section header for [certsrv_server]
> Brian
>
>
> jwdaigle@nospam.nospam says...
>> Hello there - I am creating a standalone Root CA (ie, offline), and
>> created
>> a very simple CAPolicy.inf. It seems to be ignoring the settings in the
>> inf
>> file. I have already checked to make sure its not CAPolicy.inf.txt :-)
>>
>> The errors below from certmmc.log seem to indicate the file is found, but
>> that lines that are there are not read. I have looked at it for a while
>> to
>> see if there is any kind of syntax error, but nothing pops out at me.
>> Like
>> I said, the file is really simple.
>>
>> Thanks for any help,
>>
>> Joe
>>
>>
>> Here is the Inf file:
>>
>> [Version]
>> Signature="$Windows NT$"
>>
>> [certsrv_server]
>> Renewalkeylength=4096
>> RenewalValidityPeriodUnits=10
>> RenewalValidityPeriod=years
>>
>> CRLPeriod=weeks
>> CRLPeriodUnits=26
>> CRLDeltaPeriodUnits=0
>> CRLDeltaPeriod=days
>>
>> [CRLDistributionPoint]
>> Empty=True
>>
>> [AuthorityInformationAccess]
>> Empty=True
>>
>> [BasicConstraintsExtension]
>> PathLength=1
>>
>>
>>
>> And here is the output from certmmc.log:
>>
>>
>> ========================================================================
>> 402.420.948: Begin: 7/6/2006 2:28 PM 54.718s
>> 914.1439.0: certcli.dll: 5.2.3790.1830 retail (srv03_sp1_rtm.050324-1447)
>> 914.1439.0: certmmc.dll: 5.2.3790.1830 retail (srv03_sp1_rtm.050324-1447)
>> 402.315.949: End: 7/6/2006 2:28 PM 54.750s
>>
>> ========================================================================



Posted by Joe on July 11, 2006, 10:03 pm
Please log in for more thread options
Hi Brian -

I stumbled across a possible explanation for this, and wondered if you
thought this to be a valid inference.
In:
http://technet2.microsoft.com/WindowsServer/f/?en/Library/0e4472ff-fe9b-4fa7-b5b1-9bb6c5a7f76e1033.mspx ,
it states that:

======================================
NewRequest
The [NewRequest] section is mandatory for an .inf file that acts as a
template for a new certificate request. If this section is missing, the
following error message is displayed:

INF file line not found 0xe0000102 (INF: -536870654)

This section requires at least one key with a value. If this section is
empty and has no keys, the following error message is displayed:

Incorrect function. 0x1 (WIN32: 1)

=======================================

My situation is that I was rebuilding my root CA (our PKI is stil in the
planning/prototyping stages), and used a backup of the previous rootca's
key. I was basically installing the CA on a freshly installed server 2k3
R2, and chose to use the option of a previously generated key. In addition,
this CAPolicy.inf file was placed in C:\Windows.

I noticed that the same error (0xe0000102) is logged in the certmmc.log file
I have (along with other errors).

I will be rebuilding the rootCA tommorow, this time not using the
pre-existing key, to see if that works correctly. I will post my findings.

Thanks,

Joe

> Wow... does this text look familiar <G>.
> My guess is that you copied and pasted this from the CD from my book or
> from the PDF document. My guess is that the "_" character was translated
> to an different character.
> Try retyping the section header for [certsrv_server]
> Brian
>
>
> jwdaigle@nospam.nospam says...
>> Hello there - I am creating a standalone Root CA (ie, offline), and
>> created
>> a very simple CAPolicy.inf. It seems to be ignoring the settings in the
>> inf
>> file. I have already checked to make sure its not CAPolicy.inf.txt :-)
>>
>> The errors below from certmmc.log seem to indicate the file is found, but
>> that lines that are there are not read. I have looked at it for a while
>> to
>> see if there is any kind of syntax error, but nothing pops out at me.
>> Like
>> I said, the file is really simple.
>>
>> Thanks for any help,
>>
>> Joe
>>
>>
>> Here is the Inf file:
>>
>> [Version]
>> Signature="$Windows NT$"
>>
>> [certsrv_server]
>> Renewalkeylength=4096
>> RenewalValidityPeriodUnits=10
>> RenewalValidityPeriod=years
>>
>> CRLPeriod=weeks
>> CRLPeriodUnits=26
>> CRLDeltaPeriodUnits=0
>> CRLDeltaPeriod=days
>>
>> [CRLDistributionPoint]
>> Empty=True
>>
>> [AuthorityInformationAccess]
>> Empty=True
>>
>> [BasicConstraintsExtension]
>> PathLength=1
>>
>>
>>
>> And here is the output from certmmc.log:
>>
>>
>> ========================================================================
>> 402.420.948: Begin: 7/6/2006 2:28 PM 54.718s
>> 914.1439.0: certcli.dll: 5.2.3790.1830 retail (srv03_sp1_rtm.050324-1447)
>> 914.1439.0: certmmc.dll: 5.2.3790.1830 retail (srv03_sp1_rtm.050324-1447)
>> 402.315.949: End: 7/6/2006 2:28 PM 54.750s
>>
>> ========================================================================



Posted by Brian Komar on July 12, 2006, 12:36 am
Please log in for more thread options
If you are using a pre-existing key, you are also using a pre-existing
certificate, hence the capolicy.inf file will in large part be ignored
in your scenario.
If you proceed with your current capolicy.inf and generate a new key,
things should work out better.
Brian

jwdaigle@nospam.nospam says...
> Hi Brian -
>
> I stumbled across a possible explanation for this, and wondered if you
> thought this to be a valid inference.
> In:
> http://technet2.microsoft.com/WindowsServer/f/?en/Library/0e4472ff-fe9b-4fa7-b5b1-9bb6c5a7f76e1033.mspx ,
> it states that:
>
> ======================================
> NewRequest
> The [NewRequest] section is mandatory for an .inf file that acts as a
> template for a new certificate request. If this section is missing, the
> following error message is displayed:
>
> INF file line not found 0xe0000102 (INF: -536870654)
>
> This section requires at least one key with a value. If this section is
> empty and has no keys, the following error message is displayed:
>
> Incorrect function. 0x1 (WIN32: 1)
>
> =======================================
>
> My situation is that I was rebuilding my root CA (our PKI is stil in the
> planning/prototyping stages), and used a backup of the previous rootca's
> key. I was basically installing the CA on a freshly installed server 2k3
> R2, and chose to use the option of a previously generated key. In addition,
> this CAPolicy.inf file was placed in C:\Windows.
>
> I noticed that the same error (0xe0000102) is logged in the certmmc.log file
> I have (along with other errors).
>
> I will be rebuilding the rootCA tommorow, this time not using the
> pre-existing key, to see if that works correctly. I will post my findings.
>
> Thanks,
>
> Joe
>
> > Wow... does this text look familiar <G>.
> > My guess is that you copied and pasted this from the CD from my book or
> > from the PDF document. My guess is that the "_" character was translated
> > to an different character.
> > Try retyping the section header for [certsrv_server]
> > Brian
> >
> >

Similar ThreadsPosted
use of Issuance policy in capolicy.inf file January 19, 2008, 5:54 pm
Publishing offline root in AD and AIA and capolicy.inf July 12, 2005, 11:26 pm
What is wrong? June 8, 2005, 4:17 pm
What's wrong with our dcs? February 4, 2006, 7:06 pm
What's wrong with Windows 2k3 firewall? HELP ME PLEASE! October 9, 2005, 6:53 pm
Server refreshes its security policy with wrong values July 9, 2006, 8:29 am
Domain Controllers grabbed Certificates from wrong Cert Authority July 12, 2007, 12:32 pm
Pass Through Authentication chooses wrong user account on remote server?? May 9, 2006, 12:13 pm
Able to Mount File Share With File Print Sharing Off October 28, 2006, 10:14 pm
File Access Audit on File Server June 20, 2007, 4:59 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap