Wednesday, September 30, 2009

Certificate Authority

AMT sertifikaadi Application Policy OID´i lisamisel tekkis meil huvitav probleem. Veateateks saime: “The following object identifier has already been used: 2.1.840.1.113741.1.2.3. Type a different value.“

CA väitis, et selline OID juba eksisteerib kuigi OID nimekirja kontrollides ei näinud me sellist OIDi seal tabelis. Koos Microsoftiga saime ka sellele lahenduse.

It seems that some incorrect information exists in AD. Please follow these steps to check and correct it:
1. Run this command to export AD: (I suppose the domain name is "".)
Ldifde -f out.txt -d "CN=OID,CN=Public Key services,CN=Services,CN=Configuration,DC=Contoso,DC=com"

2. Open out.txt and see if OID 2.16.840.1.113741.1.2.3 exists. It could be similar to this:
dn: CN=3.4150BAD13DBF0E373C9B003794AA3307,CN=OID,CN=Public Key
changetype: add
objectClass: top
objectClass: msPKI-Enterprise-Oid
cn: 3.4150BAD13DBF0E373C9B003794AA3307
CN=3.4150BAD13DBF0E373C9B003794AA3307,CN=OID,CN=Public Key
Services,CN=Services,CN=Configuration,DC=Contoso, DC=com
instanceType: 4
whenCreated: 20081224184130.0Z
whenChanged: 20081224184157.0Z
uSNCreated: 109161123
uSNChanged: 109161123
showInAdvancedViewOnly: TRUE
name: 3.4150BAD13DBF0E373C9B003794AA3307
objectGUID:: 5xx+EikduUaGt4AI7By82w==
flags: 3
msPKI-Cert-Template-OID: 2.16.840.1.113741.1.2.3

3. Open Adsiedit.msc and find
"CN=3.4150BAD13DBF0E373C9B003794AA3307,CN=OID,CN=Public Key

4. Open Properties of this object and verify the DisplayName attribute. If it is set to "Not Set", currently the Application Policy OID is not able to be displayed in the Add Application Policy Dialog box, and they are not going to be able to create a new Application Policy with the same OID because the OID already exists. Please add a value to this attribute such as "AMT Provision".