Suppressing certificate attributes in a CA certificate request

When a PKCS#10 request for a CA certificate is generated, a pre-defined set of certificate attributes is included. This blog entry explains how to eliminate attributes that would go into the CA certificate request by default.

Imagine that you are setting up a new subordinate CA where the parent CA is a non Windows CA. The parent CA may not support or accept certificate attributes like the certificate template name. To exclude an attribute from the CA certificate request you must create a capolicy.inf file in the %WINDIR% directory before creating or renewing a CA certificate. The capolicy.inf file lists the OIDs of the certificate extensions to be excluded in the Extensions section. See the Microsoft Knowledgebase for a list of Object IDs associated with Microsoft cryptography.

The following sample caplicy.inf file would exclude the CA version and the certificate template name from the CA certificate request.

[Version]
Signature= "$Windows NT$"

[Extensions]
1.3.6.1.4.1.311.21.1 =
1.3.6.1.4.1.311.21.7 =

Note: Certificate attributes should only be removed from a certificate request if there is real demand for it. Never do it just for cosmetics!

When working with a capolicy.inf file you should be aware of the behavior described in the Microsoft Knowledgebase article Custom extensions in the CAPolicy.inf file do not take effect after you renew the root CA certificate by using a new key. The article applies for Root and Subordinate CAs running on Windows Server 2003 SP1 or Windows Server 2003 SP2.