none
CAPolicy.inf questions

    Question

  • Is the CAPolicy.inf file a requirement or can the same values be answered during install of ADCS via the installation wizard?  If I have a CAPolicy.inf file are the values defined in it feed to the installation wizard?  Why must I run certutil post scripts if I'm defining some of the settings in the CAPolicy.inf?

    e.g. CRLPeriod=weeks and certutil -setreg CA\CRLPeriod "Weeks"

    Monday, May 02, 2011 8:24 PM

Answers

  • You still need to use CAPolicy.inf for most cases. This is because you can only do the following with CAPolicy.inf

    - prevent issuance of delta CRLs at installation of the CA

    - prevent automatic issuance of the default certificate templates

    - include OIDs in the CA certificate request  and define multiple assurance levels

    - Define cross-certification constraints within a CA certificate: Name constraints, path length restrictions, policy mapping, limiting application policies

    -pre-defining CRL publication intervals

    You will still need to run post-installation scripts too though.

    - Define default audit settings

    - Define base and delta CRL overlap settings (not definable in the CAPolicy.inf)

    - Define EditFlags for the CA

    - Change SHA signing settings if using KSP

    So, you really need to use both

    Brian

    • Marked as answer by PaulT15 Tuesday, May 03, 2011 7:31 PM
    Tuesday, May 03, 2011 3:34 PM
  • Not all values can be specified during CA server installation and can be defined in CAPolicy.inf file only. For example: CA server qualified subordination settings (name/application policy/issuance policy constraints, policy mappings), CA certificate renewal validity period (for root CAs), CSPs and so on.

    Your mentioned setting can be omitted in the CAPolicy.inf, but should exist in the post-installation script. My advice is to specify settings as possible in the CAPolicy.inf as possible and configure other settings in the post-installation script.


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    • Marked as answer by PaulT15 Tuesday, May 03, 2011 7:31 PM
    Tuesday, May 03, 2011 3:38 PM

All replies

  • You still need to use CAPolicy.inf for most cases. This is because you can only do the following with CAPolicy.inf

    - prevent issuance of delta CRLs at installation of the CA

    - prevent automatic issuance of the default certificate templates

    - include OIDs in the CA certificate request  and define multiple assurance levels

    - Define cross-certification constraints within a CA certificate: Name constraints, path length restrictions, policy mapping, limiting application policies

    -pre-defining CRL publication intervals

    You will still need to run post-installation scripts too though.

    - Define default audit settings

    - Define base and delta CRL overlap settings (not definable in the CAPolicy.inf)

    - Define EditFlags for the CA

    - Change SHA signing settings if using KSP

    So, you really need to use both

    Brian

    • Marked as answer by PaulT15 Tuesday, May 03, 2011 7:31 PM
    Tuesday, May 03, 2011 3:34 PM
  • Not all values can be specified during CA server installation and can be defined in CAPolicy.inf file only. For example: CA server qualified subordination settings (name/application policy/issuance policy constraints, policy mappings), CA certificate renewal validity period (for root CAs), CSPs and so on.

    Your mentioned setting can be omitted in the CAPolicy.inf, but should exist in the post-installation script. My advice is to specify settings as possible in the CAPolicy.inf as possible and configure other settings in the post-installation script.


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    • Marked as answer by PaulT15 Tuesday, May 03, 2011 7:31 PM
    Tuesday, May 03, 2011 3:38 PM