Vadims Podāns
Vadims Podāns 03.06.2020 17:04 (GMT+3) Certificate Policies extension – all you should know (part 1)

In a given scenario, only policy with ID=2.16.12.3.2.1.1 is valid, because it is presented in CA certificate and leaf certificate. Certificate policy processing rules are described in RFC 5280 §6.

Muhammad Irfan
Muhammad Irfan 03.06.2020 16:45 (GMT+3) Certificate Policies extension – all you should know (part 1)

> This means that policies can be restricted down in the chain, but not extended. If you define particular policy identifier at 2nd level, you will be unable to add another policy identifier at lower levels, because only that particular policy identifier may be valid at lower levels.

According to this statement below chain is not a valid one:

  • Issued Certificate Policies:
    • Policy Identifier=2.16.12.3.2.1.1
    • Policy Identifier=2.16.12.3.1.3.1.1
  • Issued by Certificate Policies:
    • 2.16.12.3.2.1.1

Is it? and what standard/rfc states this?

Vadims Podāns
Vadims Podāns 02.06.2020 18:18 (GMT+3) Designing CRL Distribution Points and Authority Information Access locations

> If yes, do all these HTTP URLs point to the same CRL file or each URL has it's own CRL file?

Yes, you can have multiple HTTP URLs. They should point to their own copy of same CRL file.

ZISHAN ALI SAIYED
ZISHAN ALI SAIYED 02.06.2020 17:38 (GMT+3) Designing CRL Distribution Points and Authority Information Access locations

Hi Vadims,

Can a CA have multiple HTTP URLs? If yes, do all these HTTP URLs point to the same CRL file or each URL has it's own CRL file?

Vadims Podāns
Vadims Podāns 31.05.2020 13:37 (GMT+3) How to remove expired user certificates from Active Directory

You need to do some scripting for that. I would recommend to ask your question on scripting forums, for example, TechNet: https://social.technet.microsoft.com/Forums/scriptcenter/en-US/home?forum=ITCG