{"id":12125,"date":"2026-04-04T19:25:54","date_gmt":"2026-04-05T00:25:54","guid":{"rendered":"https:\/\/www.rushworth.us\/lisa\/?p=12125"},"modified":"2026-04-10T19:43:14","modified_gmt":"2026-04-11T00:43:14","slug":"creating-and-using-an-ad-cs-custom-policy-module","status":"publish","type":"post","link":"https:\/\/www.rushworth.us\/lisa\/?p=12125","title":{"rendered":"Creating and Using an AD CS Custom Policy Module"},"content":{"rendered":"

This information relates to the custom CA policy module implementation at https:\/\/github.com\/ljr55555\/CustomEkuPolicy<\/a><\/p>\n

Values Used in this Implementation<\/h2>\n

The following GUID values are used within the code<\/p>\n

LIBID CustomEkuPolicyModule 71e54225-3720-45d5-a181-1ce854b74c58<\/p>\n

CLSID CustomEkuPolicyModule bea77360-4ed0-469c-a888-7b5cac3b8776<\/p>\n

Project GUID 98d72278-b7ab-4f6b-817c-55dac0796675<\/p>\n

Documentation is written while adding the custom module to a CA named UG-IssuingCA-02<\/p>\n

Code Overview<\/h2>\n

CustomEkuPolicy.dll is a custom AD CS policy module<\/strong> implemented as a native ATL COM DLL<\/strong>. It is designed to work as a wrapper<\/strong> around Microsoft\u2019s default AD CS policy module rather than replacing that behavior entirely.<\/p>\n

Purpose<\/strong><\/p>\n

The DLL adds a controlled enhancement to certificate issuance:<\/p>\n

    \n
  • preserve normal Microsoft CA policy behavior<\/li>\n
  • preserve compatibility with Venafi\/MS CA workflows<\/li>\n
  • inject Server Authentication<\/strong> and Client Authentication<\/strong> EKUs only when appropriate<\/li>\n<\/ul>\n

    High-level behavior<\/strong><\/p>\n

    When the CA processes a certificate request, the module does the following:<\/p>\n

      \n
    1. Loads and delegates to the Microsoft default policy module:\n
        \n
      • CertificateAuthority_MicrosoftDefault.Policy<\/li>\n<\/ul>\n<\/li>\n
      • Lets the default policy module evaluate the request normally:\n
          \n
        • issuance<\/li>\n
        • pending\/deny decisions<\/li>\n
        • standard AD CS behavior<\/li>\n<\/ul>\n<\/li>\n
        • If the default policy module decides to issue immediately<\/strong>:\n
            \n
          • inspect the request\/certificate context<\/li>\n
          • determine whether the certificate is eligible for EKU injection<\/li>\n<\/ul>\n<\/li>\n
          • Inject the following EKUs only when all conditions are met:\n
              \n
            • Server Authentication<\/strong>: 1.3.6.1.5.5.7.3.1<\/li>\n
            • Client Authentication<\/strong>: 1.3.6.1.5.5.7.3.2<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n

              Injection conditions<\/strong><\/p>\n

              EKU injection occurs only if:<\/p>\n

                \n
              • the default Microsoft policy module returned issue now<\/strong><\/li>\n
              • the certificate is not<\/strong> a CA certificate<\/li>\n
              • the certificate\u2019s template\/type name is allowed<\/li>\n
              • the certificate does not already contain<\/strong> an EKU extension<\/li>\n<\/ul>\n

                If any of those conditions are not met, the request is left unchanged.<\/p>\n

                Why the wrapper design is used<\/strong><\/p>\n

                Earlier testing showed that completely replacing Microsoft\u2019s default policy logic caused incompatibility with Venafi.
                \nTo avoid that, this module wraps the default policy module and preserves its normal behavior first, then applies the EKU enhancement afterward.<\/p>\n

                This design is what allows:<\/p>\n

                  \n
                • successful issuance through Venafi<\/li>\n
                • retention of normal CA behavior<\/li>\n
                • selective EKU injection<\/li>\n<\/ul>\n

                  Template\/type filtering<\/strong><\/p>\n

                  The module supports a registry-driven allow-list of certificate template\/type names.<\/p>\n

                  Registry path:<\/p>\n

                  HKLM\\SYSTEM\\CurrentControlSet\\Services\\CertSvc\\Configuration\\<CAName>\\PolicyModules\\CustomEkuPolicy.Module<\/p>\n

                   <\/p>\n

                  Registry value:<\/p>\n

                  AllowedTemplateNames<\/p>\n

                  Type:<\/p>\n

                  REG_MULTI_SZ<\/p>\n

                  If the registry value is missing or empty, the module defaults to allowing only:<\/p>\n

                  WebServer<\/p>\n

                  This prevents the module from broadly injecting TLS EKUs into unrelated certificate types such as code-signing or other special-purpose leaf certificates.<\/p>\n

                  Important implementation details<\/strong><\/p>\n

                    \n
                  • Implemented as ICertPolicy2<\/li>\n
                  • Built as an in-process COM DLL loaded by certsrv.exe<\/li>\n
                  • Uses ATL for COM plumbing<\/li>\n
                  • Uses CryptoAPI to ASN.1-encode the EKU extension<\/li>\n
                  • Supports binary extension values returned by AD CS as either:\n
                      \n
                    • VT_BSTR<\/li>\n
                    • VT_ARRAY | VT_UI1<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n

                      Failure behavior<\/strong><\/p>\n

                      If EKU injection fails:<\/p>\n

                        \n
                      • the module logs the failure<\/li>\n
                      • the default Microsoft issuance decision is preserved<\/li>\n<\/ul>\n

                        This means the module is effectively fail-open<\/strong> with respect to EKU injection, to avoid breaking certificate issuance workflows.<\/p>\n

                        Result<\/strong><\/p>\n

                        In normal operation, certificates of the allowed type that do not already contain EKUs are issued with:<\/p>\n

                          \n
                        • Server Authentication<\/li>\n
                        • Client Authentication<\/li>\n<\/ul>\n

                          Other certificate types are left unchanged.<\/p>\n

                          Function Reference Table<\/h2>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
                          Function<\/strong><\/th>\nLocation<\/strong><\/th>\nCalled from<\/strong><\/th>\nCalls<\/strong><\/th>\nPurpose<\/strong><\/th>\n<\/tr>\n<\/thead>\n
                          DllMain<\/td>\ndllmain.cpp<\/td>\nWindows loader<\/td>\n_AtlModule.DllMain<\/td>\nStandard DLL entry point for process\/thread attach and detach.<\/td>\n<\/tr>\n
                          DllCanUnloadNow<\/td>\ndllmain.cpp<\/td>\nCOM runtime<\/td>\n_AtlModule.DllCanUnloadNow<\/td>\nStandard COM export used to determine whether the DLL can be unloaded.<\/td>\n<\/tr>\n
                          DllGetClassObject<\/td>\ndllmain.cpp<\/td>\nCOM runtime<\/td>\n_AtlModule.DllGetClassObject<\/td>\nStandard COM export that returns the class factory for CCustomEkuPolicyModule.<\/td>\n<\/tr>\n
                          DllRegisterServer<\/td>\ndllmain.cpp<\/td>\nCOM registration tools \/ COM runtime if invoked<\/td>\n_AtlModule.DllRegisterServer<\/td>\nStandard COM registration export. Manual registry registration is used operationally instead.<\/td>\n<\/tr>\n
                          DllUnregisterServer<\/td>\ndllmain.cpp<\/td>\nCOM registration tools \/ COM runtime if invoked<\/td>\n_AtlModule.DllUnregisterServer<\/td>\nStandard COM unregistration export.<\/td>\n<\/tr>\n
                          GetTypeInfoCount<\/td>\nCustomEkuPolicyModule.cpp<\/td>\nCOM\/IDispatch clients if they query dispatch metadata<\/td>\nnone<\/td>\nMinimal IDispatch stub implementation. Returns no type information.<\/td>\n<\/tr>\n
                          GetTypeInfo<\/td>\nCustomEkuPolicyModule.cpp<\/td>\nCOM\/IDispatch clients<\/td>\nnone<\/td>\nMinimal IDispatch stub implementation. Not implemented for this module.<\/td>\n<\/tr>\n
                          GetIDsOfNames<\/td>\nCustomEkuPolicyModule.cpp<\/td>\nCOM\/IDispatch clients<\/td>\nnone<\/td>\nMinimal IDispatch stub implementation. Not used by AD CS in this design.<\/td>\n<\/tr>\n
                          Invoke<\/td>\nCustomEkuPolicyModule.cpp<\/td>\nCOM\/IDispatch clients<\/td>\nnone<\/td>\nMinimal IDispatch stub implementation. Not used by AD CS in this design.<\/td>\n<\/tr>\n
                          Initialize<\/td>\nCustomEkuPolicyModule.cpp<\/td>\nAD CS when the policy module is initialized<\/td>\nEnsureDefaultPolicyLoaded, LoadConfiguration, m_spDefaultPolicy->Initialize<\/td>\nStores the CA config string, loads registry-based configuration, loads the Microsoft default policy module, and delegates initialization to the default module.<\/td>\n<\/tr>\n
                          VerifyRequest<\/td>\nCustomEkuPolicyModule.cpp<\/td>\nAD CS for each certificate request<\/td>\nEnsureDefaultPolicyLoaded, m_spDefaultPolicy->VerifyRequest, TryInjectDefaultEku, LogHr<\/td>\nMain policy processing function. Delegates request handling to the Microsoft default policy module and, if the request is immediately issued, attempts EKU injection.<\/td>\n<\/tr>\n
                          GetDescription<\/td>\nCustomEkuPolicyModule.cpp<\/td>\nAD CS \/ administrative interfaces<\/td>\nnone<\/td>\nReturns a human-readable description of the policy module.<\/td>\n<\/tr>\n
                          ShutDown<\/td>\nCustomEkuPolicyModule.cpp<\/td>\nAD CS during service shutdown \/ module unload<\/td>\nm_spDefaultPolicy->ShutDown<\/td>\nDelegates shutdown to the default policy module.<\/td>\n<\/tr>\n
                          GetManageModule<\/td>\nCustomEkuPolicyModule.cpp<\/td>\nAD CS \/ administrative interfaces<\/td>\nm_spDefaultPolicy2->GetManageModule<\/td>\nPass-through to the default policy module\u2019s ICertPolicy2::GetManageModule() when available.<\/td>\n<\/tr>\n
                          EnsureDefaultPolicyLoaded<\/td>\nCustomEkuPolicyModule.cpp<\/td>\nInitialize, VerifyRequest<\/td>\nCLSIDFromProgID, CoCreateInstance, QueryInterface<\/td>\nLoads the Microsoft default policy module (CertificateAuthority_MicrosoftDefault.Policy) and caches interface pointers.<\/td>\n<\/tr>\n
                          LoadConfiguration<\/td>\nCustomEkuPolicyModule.cpp<\/td>\nInitialize<\/td>\nLoadAllowedTemplateNamesFromRegistry<\/td>\nLoads custom registry-driven configuration for the wrapper module.<\/td>\n<\/tr>\n
                          LoadAllowedTemplateNamesFromRegistry<\/td>\nCustomEkuPolicyModule.cpp<\/td>\nLoadConfiguration<\/td>\nRegOpenKeyExW, RegQueryValueExW, RegCloseKey, LogInfo<\/td>\nReads AllowedTemplateNames from the CA policy module registry key and populates the internal allow-list. Falls back to WebServer if not configured.<\/td>\n<\/tr>\n
                          TryInjectDefaultEku<\/td>\nCustomEkuPolicyModule.cpp<\/td>\nVerifyRequest<\/td>\nCoCreateInstance, SetContext, IsCaRequest, GetTemplateName, IsTemplateAllowed, IsExtensionPresent, BuildDefaultEkuEncoded, SetExtensionBytes, LogInfo, LogHr<\/td>\nPerforms the conditional EKU injection logic after default policy approval.<\/td>\n<\/tr>\n
                          GetExtensionBytes<\/td>\nCustomEkuPolicyModule.cpp<\/td>\nIsExtensionPresent, IsCaRequest, GetTemplateName<\/td>\nICertServerPolicy::GetCertificateExtension, ICertServerPolicy::GetCertificateExtensionFlags, VariantClear<\/td>\nReads a certificate\/request extension value from ICertServerPolicy as binary.<\/td>\n<\/tr>\n
                          SetExtensionBytes<\/td>\nCustomEkuPolicyModule.cpp<\/td>\nTryInjectDefaultEku<\/td>\nSysAllocStringByteLen, ICertServerPolicy::SetCertificateExtension, VariantClear<\/td>\nWrites a binary certificate\/request extension value back through ICertServerPolicy. Used to inject EKU.<\/td>\n<\/tr>\n
                          IsExtensionPresent<\/td>\nCustomEkuPolicyModule.cpp<\/td>\nTryInjectDefaultEku<\/td>\nGetExtensionBytes, VariantClear<\/td>\nChecks whether a specific extension OID already exists in the current request\/certificate context.<\/td>\n<\/tr>\n
                          BuildDefaultEkuEncoded<\/td>\nCustomEkuPolicyModule.cpp<\/td>\nTryInjectDefaultEku<\/td>\nCryptEncodeObjectEx<\/td>\nBuilds and ASN.1-encodes the default EKU extension containing Server Auth and Client Auth OIDs.<\/td>\n<\/tr>\n
                          IsCaRequest<\/td>\nCustomEkuPolicyModule.cpp<\/td>\nTryInjectDefaultEku<\/td>\nGetExtensionBytes, VariantBinaryToBytes, CryptDecodeObjectEx, VariantClear, LocalFree<\/td>\nReads and decodes Basic Constraints to determine whether the request is for a CA certificate.<\/td>\n<\/tr>\n
                          VariantBinaryToBytes<\/td>\nCustomEkuPolicyModule.cpp<\/td>\nIsCaRequest, GetTemplateName<\/td>\nSysStringByteLen, SafeArrayGetLBound, SafeArrayGetUBound, SafeArrayAccessData, SafeArrayUnaccessData<\/td>\nNormalizes binary values returned from AD CS (VT_BSTR or `VT_ARRAY<\/td>\n<\/tr>\n
                          GetTemplateName<\/td>\nCustomEkuPolicyModule.cpp<\/td>\nTryInjectDefaultEku<\/td>\nGetExtensionBytes, VariantBinaryToBytes, CryptDecodeObjectEx, VariantClear, LocalFree<\/td>\nReads and decodes the certificate template\/type name extension (1.3.6.1.4.1.311.20.2).<\/td>\n<\/tr>\n
                          IsTemplateAllowed<\/td>\nCustomEkuPolicyModule.cpp<\/td>\nTryInjectDefaultEku<\/td>\nEqualsIgnoreCase<\/td>\nChecks whether the decoded template\/type name matches one of the allowed names from configuration.<\/td>\n<\/tr>\n
                          EqualsIgnoreCase<\/td>\nCustomEkuPolicyModule.cpp<\/td>\nIsTemplateAllowed<\/td>\ntowlower<\/td>\nCase-insensitive string comparison helper for template\/type matching.<\/td>\n<\/tr>\n
                          LogEventWord<\/td>\nCustomEkuPolicyModule.cpp<\/td>\nLogInfo, LogHr<\/td>\nRegisterEventSourceW, ReportEventW, DeregisterEventSource<\/td>\nLow-level Windows Event Log writer for the CustomEkuPolicy source.<\/td>\n<\/tr>\n
                          LogInfo<\/td>\nCustomEkuPolicyModule.cpp<\/td>\nMultiple internal functions<\/td>\nLogEventWord<\/td>\nConvenience wrapper for informational event logging.<\/td>\n<\/tr>\n
                          LogHr<\/td>\nCustomEkuPolicyModule.cpp<\/td>\nMultiple internal functions<\/td>\nStringCchPrintfW, LogEventWord<\/td>\nConvenience wrapper for logging HRESULT failures to the Windows Event Log.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

                          Code Flow<\/h2>\n

                          This section describes how the main code paths in CustomEkuPolicy.dll work.<\/p>\n

                          1. DLL load and COM registration<\/strong><\/p>\n

                          The DLL is an ATL COM in-process server.<\/p>\n

                          Key file:<\/p>\n