Windows PKI CA: "The certificate has invalid policy"

When you try to issue a new certificate on a Windows client, this might not work and you get the following error:

The certificate has invalid policy. 0x800b0113 (CERT_E_INVALID_POLICY)

The root cause of this is that the issuing CA has restricted the issuance policies you can use. If you have created a certificate template that uses a policy that is not allowed, you will get that error message.

There is a quick and dirty method to get rid of this error (but it also makes your CA a bit more insecure): On the CA, issue the following commands:

certutil –setreg CA\CRLFlags +CRLF_IGNORE_INVALID_POLICIES
net stop certsvc
net start certsvc

Now you should be able to issue the certificate.

To set the it back as it was, just use these commands:

certutil –setreg CA\CRLFlags -CRLF_IGNORE_INVALID_POLICIES
net stop certsvc
net start certsvc

Leave a Reply

Your email address will not be published. Required fields are marked *