CAPolicy.inf Syntax

Applies To: Windows Server 2003 with SP1

The purpose of the CAPolicy.inf configuration file and its syntax is described in Windows Server 2003 Server Help.

If a CAPolicy.inf file exists, it supersedes the default configuration that is used to install a CA or renew its CA certificate.

Sample CAPolicy.inf File for CorporateRootCA

You can use the samples in this section for the root CAs CAPolicy.inf file. Verify that the parameters in the [Certsrv_Server] section are the same as your requirements, according to the CPS.

Note

The parameters specified in the [Certsrv_Server] section must be greater or must match the key length and validity period used during CA setup otherwise the value specified in the capolicy.inf will be ignored.

Unfortunately the keynames are different for Windows 2000 and Windows Server 2003. However, the Windows Server 2003 Certification Server is able to interpret the old Windows 2000 syntax.

A CApolicy.inf file for a Windows 2000 root CA would look like this:

[Version]
Signature= "$Windows NT$"
[Certsrv_Server]
RenewalKeyLength=4096
RenewalValidityPeriodUnits=Years
RenewalValidityPeriod=20
[CRLDistributionPoint]
[AuthorityInformationAccess]

A CApolicy.inf file for a Windows 2003 Server root CA would look like this:

[Version]
Signature= "$Windows NT$"
[Certsrv_Server]
RenewalKeyLength=4096
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=20
[CRLDistributionPoint]
[AuthorityInformationAccess]

As you can see, the RenewalValidityPeriod and RenewalValidityPeriodUnits parameters are switched in Windows Server 2003 to make them more consistent.

Important

Although you can enter values for CRL Deltas and CRL Overlap, they will not be read during setup. To configure CRL Overlap and CRL Delta periods, you must run commands after installation. See Configure CRL and Delta CRL Overlap Periods (https://technet.microsoft.com/library/cc731104.aspx).

If you are using a Windows 2000 CA, see article 297528, "CRL Distribution Point Extension Is Not Suppressed by the Capolicy.inf File," in the Microsoft Knowledge Base.

Sample CAPolicy.inf File for IntermediateCA1

This section contains a sample for the subordinate CAs CAPolicy.inf file.

The object identifiers and the URLs are provided only as an example. You should replace the object identifier values with object identifiers that belong to your organization and verify that the URLs are pointing to a location that is accessible.

The CAPolicy.inf file syntax in Windows 2000 and Windows Server 2003 are basically the same, except that the [CApolicy] section, which was valid in Windows 2000, is now [PolicyStatementExtension].

On a Windows 2000 CA, the CAPolicy.inf file should look like the following sample, except that the italicized items are placeholders. The placeholders should be replaced with the information for your specific situation.

[Version]
Signature= "$Windows NT$" [CApolicy]
Policies = AllIssuancePolicy
Critical = FALSE
[AllIssuancePolicy]
OID = 2.5.29.32.0

For a Windows Server 2003 CA, the CAPolicy.inf file should look like the following sample, where the italicized items are placeholders.

[Version]
Signature= "$Windows NT$"
[ PolicyStatementExtension ]
Policies = AllIssuancePolicy
Critical = FALSE
[AllIssuancePolicy]
OID = 2.5.29.32.0

Sample CAPolicy.inf File for CorporateEnt1CA

For the Windows 2000 Family

[Version]
Signature= "$Windows NT$"
[CApolicy]
Policies = LegalPolicy, LimitedUsePolicy
[LegalPolicy]
OID = 1.1.1.1.1.1.1.1.1
URL = "https://www.contoso.com/pki/Policy/USLegalPolicy.asp"
URL = "ftp://ftp.contoso.com/pki/Policy/USLegalPolicy.txt"
[LimitedUsePolicy]
OID = 2.2.2.2.2.2.2.2.2
URL = "https://www.contoso.com/pki/Policy/USLimitedUsePolicy.asp"
URL = "ftp://ftp.contoso.com/pki/Policy/USLimitedUsePolicy.txt"

For the Windows Server 2003 Family

[Version]
Signature= "$Windows NT$"
[PolicyStatementExtension]
Policies = LegalPolicy, LimitedUsePolicy
[LegalPolicy]
OID = 1.1.1.1.1.1.1.1.1
URL = "https://www.contoso.com/pki/Policy/USLegalPolicy.asp"
URL = "ftp://ftp.contoso.com/pki/Policy/USLegalPolicy.txt"
[LimitedUsePolicy]
OID = 2.2.2.2.2.2.2.2.2
URL = "https://www.contoso.com/pki/Policy/USLimitedUsePolicy.asp"
URL = "ftp://ftp.contoso.com/pki/Policy/USLimitedUsePolicy.txt"