Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Whats wrong with my CAPolicy.inf file?

0 views
Skip to first unread message

Joe

unread,
Jul 6, 2006, 3:35:56 AM7/6/06
to
Hello there - I am creating a standalone Root CA (ie, offline), and created
a very simple CAPolicy.inf. It seems to be ignoring the settings in the inf
file. I have already checked to make sure its not CAPolicy.inf.txt :-)

The errors below from certmmc.log seem to indicate the file is found, but
that lines that are there are not read. I have looked at it for a while to
see if there is any kind of syntax error, but nothing pops out at me. Like
I said, the file is really simple.

Thanks for any help,

Joe


Here is the Inf file:

[Version]
Signature="$Windows NT$"

[certsrv_server]
Renewalkeylength=4096
RenewalValidityPeriodUnits=10
RenewalValidityPeriod=years

CRLPeriod=weeks
CRLPeriodUnits=26
CRLDeltaPeriodUnits=0
CRLDeltaPeriod=days

[CRLDistributionPoint]
Empty=True

[AuthorityInformationAccess]
Empty=True

[BasicConstraintsExtension]
PathLength=1

And here is the output from certmmc.log:


========================================================================
402.420.948: Begin: 7/6/2006 2:28 PM 54.718s
914.1439.0: certcli.dll: 5.2.3790.1830 retail (srv03_sp1_rtm.050324-1447)
914.1439.0: certmmc.dll: 5.2.3790.1830 retail (srv03_sp1_rtm.050324-1447)
402.315.949: End: 7/6/2006 2:28 PM 54.750s

========================================================================
402.420.948: Begin: 7/6/2006 2:31 PM 40.718s
914.1439.0: certcli.dll: 5.2.3790.1830 retail (srv03_sp1_rtm.050324-1447)
914.1439.0: certmmc.dll: 5.2.3790.1830 retail (srv03_sp1_rtm.050324-1447)
201.1061.237: Load Old Certificate: narraSoft Philippines Inc. Root CA(1):
0x1(1)
401.1276.946: Opened Policy inf: C:\WINDOWS\CAPolicy.inf
202.4431.271: Generate Keys: narraSoft Philippines Inc. Root CA(1):
Microsoft Strong Cryptographic Provider: 0x1000(4096)
202.2859.288: Set Key Security
401.1276.946: Opened Policy inf: C:\WINDOWS\CAPolicy.inf
401.1299.964: Closed Policy inf
401.1923.945: Policy inf missing section or key: certsrv_server:
RenewalValidityPeriodUnits: The required line was not found in the INF.
0x800f0102 (-2146500350)
201.1245.287: INF file error: The required line was not found in the INF.
0x800f0102 (-2146500350)
401.2345.945: Policy inf missing section or key: CRLDistributionPoint: URL:
The required line was not found in the INF. 0x800f0102 (-2146500350)
201.1245.287: INF file error: [CRLDistributionPoint] URL =: The required
line was not found in the INF. 0x800f0102 (-2146500350)
401.1532.945: Policy inf missing section or key: PolicyStatementExtension:
Policies: INF file line not found 0xe0000102 (INF: -536870654)
401.1607.944: Policy Statement Extension: INF file line not found 0xe0000102
(INF: -536870654)
401.1532.945: Policy inf missing section or key: CAPolicy: Policies: INF
file line not found 0xe0000102 (INF: -536870654)
401.1607.944: Policy Statement Extension: INF file line not found 0xe0000102
(INF: -536870654)
201.1245.287: INF file error: [PolicyStatementExtension] Policies =: INF
file line not found 0xe0000102 (INF: -536870654)
201.1245.287: INF file error: [CrossCertificateDistributionPointsExtension]:
INF file line not found 0xe0000102 (INF: -536870654)
401.2345.945: Policy inf missing section or key: AuthorityInformationAccess:
URL: The required line was not found in the INF. 0x800f0102 (-2146500350)
201.1245.287: INF file error: [AuthorityInformationAccess] URL =: The
required line was not found in the INF. 0x800f0102 (-2146500350)
401.2345.945: Policy inf missing section or key: EnhancedKeyUsageExtension:
OID: INF file line not found 0xe0000102 (INF: -536870654)
201.1245.287: INF file error: [EnhancedKeyUsageExtension] OID =: INF file
line not found 0xe0000102 (INF: -536870654)
201.1245.287: INF file error: INF file line not found 0xe0000102
(INF: -536870654)
201.1626.238: Clone Root Certificate
401.2345.945: Policy inf missing section or key: certsrv_server: The
required line was not found in the INF. 0x800f0102 (-2146500350)
201.1245.287: INF file error: [certsrv_server]: The required line was not
found in the INF. 0x800f0102 (-2146500350)
202.3514.230: Save certificate and Keys
201.365.232: Finish Supended Setup
201.782.234: Setup complete
201.2763.242: Renew CA -- new keys: narraSoft Philippines Inc. Root CA
401.1299.964: Closed Policy inf: [certsrv_server]


Brian Komar

unread,
Jul 7, 2006, 11:43:45 PM7/7/06
to
Wow... does this text look familiar <G>.
My guess is that you copied and pasted this from the CD from my book or
from the PDF document. My guess is that the "_" character was translated
to an different character.
Try retyping the section header for [certsrv_server]
Brian


In article <e9CmY7Mo...@TK2MSFTNGP04.phx.gbl>,
jwda...@nospam.nospam says...

Joe

unread,
Jul 8, 2006, 6:07:37 AM7/8/06
to
Ya, it should look VERY familiar :-)

Its cool that you participate in this forum, Im sure its appreciated by all
of us learning the stuff.

As far as your response, no, sorry, I actually typed it myself. I typed an
underscore character for that.

Any other guesses? I am quite stumped as to what could be wrong.
Especially considering the file is so simple.

I checked for the obvious screwups, but nothing pops out at me - file is not
named CAPolicy.inf.txt, permissions on the file are readable by everyone,
the file is in C:\Windows. As I mentioned, it appears that the file was
found, and opened, but for some reason it cannot be parsed correctly?

Thanks for any help,

Joe

"Brian Komar" <bko...@nospam.identit.ca> wrote in message
news:MPG.1f170f068...@msnews.microsoft.com...

Joe

unread,
Jul 11, 2006, 10:03:18 PM7/11/06
to
Hi Brian -

I stumbled across a possible explanation for this, and wondered if you
thought this to be a valid inference.
In:
http://technet2.microsoft.com/WindowsServer/f/?en/Library/0e4472ff-fe9b-4fa7-b5b1-9bb6c5a7f76e1033.mspx ,
it states that:

======================================
NewRequest
The [NewRequest] section is mandatory for an .inf file that acts as a
template for a new certificate request. If this section is missing, the
following error message is displayed:

INF file line not found 0xe0000102 (INF: -536870654)

This section requires at least one key with a value. If this section is
empty and has no keys, the following error message is displayed:

Incorrect function. 0x1 (WIN32: 1)

=======================================

My situation is that I was rebuilding my root CA (our PKI is stil in the
planning/prototyping stages), and used a backup of the previous rootca's
key. I was basically installing the CA on a freshly installed server 2k3
R2, and chose to use the option of a previously generated key. In addition,
this CAPolicy.inf file was placed in C:\Windows.

I noticed that the same error (0xe0000102) is logged in the certmmc.log file
I have (along with other errors).

I will be rebuilding the rootCA tommorow, this time not using the
pre-existing key, to see if that works correctly. I will post my findings.

Thanks,

Joe

"Brian Komar" <bko...@nospam.identit.ca> wrote in message
news:MPG.1f170f068...@msnews.microsoft.com...

Brian Komar

unread,
Jul 12, 2006, 12:36:07 AM7/12/06
to
If you are using a pre-existing key, you are also using a pre-existing
certificate, hence the capolicy.inf file will in large part be ignored
in your scenario.
If you proceed with your current capolicy.inf and generate a new key,
things should work out better.
Brian

In article <OuLI$dVpGH...@TK2MSFTNGP04.phx.gbl>,
jwda...@nospam.nospam says...

0 new messages