An intermediate CA does NOT permit issuing policies for itself, or for subordinate CAs.
If you wish to configure an intermediate CA to permit this behavior:
1. Open the %SystemRoot%\CApolicy.inf file in Notepad. If the file does not exist, create it to contain:
\[Version\]
Signature= "$Windows NT$"
2. After the \[Version\] section, add the following:
\[PolicyStatementExtension\]
Policies = AllIssuancePolicy
Critical = FALSE
\[AllIssuancePolicy\]
OID = 2.5.29.32.0
3. Save the %SystemRoot%\CApolicy.inf file.
4. Exit Notepad.
5. Open a CMD.EXE Window and type the following, pressing Enter after each line:
net stop certsvc
net start certsvc
NOTE: If you created a new %SystemRoot%\CApolicy.inf file, it would look like:
\[Version\]
Signature= "$Windows NT$"
\[PolicyStatementExtension\]
Policies = AllIssuancePolicy
Critical = FALSE
\[AllIssuancePolicy\]
OID = 2.5.29.32.0