In a given scenario, only policy with ID=22.214.171.124.2.1.1 is valid, because it is presented in CA certificate and leaf certificate. Certificate policy processing rules are described in RFC 5280 §6.
> This means that policies can be restricted down in the chain, but not extended. If you define particular policy identifier at 2nd level, you will be unable to add another policy identifier at lower levels, because only that particular policy identifier may be valid at lower levels.
According to this statement below chain is not a valid one:
Is it? and what standard/rfc states this?
> If yes, do all these HTTP URLs point to the same CRL file or each URL has it's own CRL file?
Yes, you can have multiple HTTP URLs. They should point to their own copy of same CRL file.
Can a CA have multiple HTTP URLs? If yes, do all these HTTP URLs point to the same CRL file or each URL has it's own CRL file?
You need to do some scripting for that. I would recommend to ask your question on scripting forums, for example, TechNet: https://social.technet.microsoft.com/Forums/scriptcenter/en-US/home?forum=ITCG
© 2008 - 2020 - Sysadmins LV. All rights reserved