Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

You cannot enroll in an Online Certificate Status Protocol certificate (CERT_E_INVALID_POLICY)


View products that this article applies to.

Symptoms

When you try to enroll in an Online Certificate Status Protocol (OCSP) certificate, the enrollment fails, and the certificate does not enroll or install. Additionally, the client receives a CERT_E_INVALID_POLICY error from the issuing certification authority (CA). 

↑ Back to the top


Cause

One or more of the CAs in the issuing CA's hierarchy contain the OCSP Signing enhanced key usage (EKU) property but do not contain the object identifier (also known as OID) for OCSP Response Signing (1.3.6.1.5.5.7.3.9) in the EKU on the CA certificate. Therefore, they cannot issue and sign the updates for OCSP services. 

↑ Back to the top


Resolution

This behavior is by design.

↑ Back to the top


More Information

By default, a Microsoft CA certificate has no EKU or application policies. If there are no specifically defined policies, the certificate is considered valid for "All Application Policies." This means that the CA is technically able to issue certificates that have any defined application policy or EKU. This includes OCSP. It is not necessary for the CA certificate to explicitly contain the OCSP signing EKU. If it did contain the OCSP signing EKU, it would also have to explicitly contain the EKU values for any other kinds of certificate that it issues. This is because if any EKU or policies are explicitly defined, the certificate is valid only for the EKU or policies that are included, and the CA would be unable to issue certificates that have other policies.  

 For a CA that chains to a specific certificate vendor (or other third-party root) to be able to issue OCSP certificates, the root certificate also has to either contain the OCSP EKU explicitly or have no OCSP EKU defined at all. Typically, root certificates are not constrained at all. However, we apply constraints to the third-party roots that we include in Windows when they are included in the trusted root list, even though the certificate itself is actually unconstrained. 

Functionally, when the CA issues an OCSP certificate, it performs a standard chain validation on the OCSP certificate. This fails because the OCSP certificate has the OCSP EKU whereas the rest of the issuing CAs are constrained but do not have the OCSP EKU. 

↑ Back to the top


Keywords: kb

↑ Back to the top

Article Info
Article ID : 2962991
Revision : 1
Created on : 1/7/2017
Published on : 7/8/2014
Exists online : False
Views : 268