Appendix B – CAPolicy.inf

  • Article

Applies To: Windows Server 2003 with SP1

The CAPolicy.inf contains settings that can be used to modify the default installation of the Certification Authority role of Active Directory Certification Service (AD CS). The file is also used when renewing the CA certificate. A CAPolicy.inf file is not required to install AD CS or renew a CA certificate. The file is only needed to modify default settings.

Once you have created your CAPolicy.inf file, you must copy it into the %windir% folder (such as the C:\Windows) of your server before you install AD CS or renew the CA certificate.

CAPolicy.inf

The following code illustrates the text of a sample CAPolicy.inf. You can create and save such a file with any text editor, such as Notepad.exe. Ensure that you save the file with the .inf file extension and not .txt or some other file extension. The name of the file must be CAPolicy.inf and must be in the %windir% folder, or it will not work.

[Version]
Signature= "$Windows NT$"
;[CAPolicy]
[PolicyStatementExtension]
Policies = LegalPolicy, LimitedUsePolicy, ExtraPolicy, OIDPolicy, EmptyPolicy
Critical = 0
[LegalPolicy]
OID = 1.3.6.1.4.1.311.21.43
Notice = "Legal policy statement text."
[LimitedUsePolicy]
OID = 1.3.6.1.4.1.311.21.47
URL = "https://http.site.com/some where/default.asp"
URL = "ftp://ftp.site.com/some where else/default.asp"
Notice = "Limited use policy statement text."
URL = "ldap://ldap.site.com/some where else again/default.asp"
[ExtraPolicy]
OID = 1.3.6.1.4.1.311.21.53
URL = https://extra.site.com/Extra Policy/default.asp
[oidpolicy]
OID = 1.3.6.1.4.1.311.21.55
[emptypolicy]
; For CRLDistributionPoint, AuthorityInformationAccess and
; CrossCertificateDistributionPointsExtension URLs:
;
; #define wszFCSAPARM_SERVERDNSNAME               L"%1"
; #define wszFCSAPARM_SERVERSHORTNAME             L"%2"
; #define wszFCSAPARM_SANITIZEDCANAME             L"%3"
; #define wszFCSAPARM_CERTFILENAMESUFFIX          L"%4"
; #define wszFCSAPARM_DOMAINDN                    L"%5"
; #define wszFCSAPARM_CONFIGDN                    L"%6"
; #define wszFCSAPARM_SANITIZEDCANAMEHASH         L"%7"
; #define wszFCSAPARM_CRLFILENAMESUFFIX           L"%8"
; #define wszFCSAPARM_CRLDELTAFILENAMESUFFIX      L"%9"
; #define wszFCSAPARM_DSCRLATTRIBUTE              L"%10"
; #define wszFCSAPARM_DSCACERTATTRIBUTE           L"%11"
; #define wszFCSAPARM_DSUSERCERTATTRIBUTE         L"%12"
; #define wszFCSAPARM_DSKRACERTATTRIBUTE          L"%13"
; #define wszFCSAPARM_DSCROSSCERTPAIRATTRIBUTE    L"%14"
;
; Setup APIs replace all %<number>% sequences with various directory paths.
; %3%8%9 in the first URL below presents two opportunities for string
; replacement with a directory path.  To avoid this, use two percent signs
; to escape the setup API string replacement.
;
; URLs with spaces or commas must be quoted to avoid INF parsing problems
;
; default CDP registry URLs:
;
; D:\WINDOWS\System32\CertSrv\CertEnroll\%3%8%9.crl
; ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10
; https://%1/CertEnroll/%3%8%9.crl
; file://\\%1\CertEnroll\%3%8%9.crl
[AuthorityInformationAccess]
URL = https://%1/Public/My CA.crt
URL = ftp://foo.com/Public/MyCA.crt
URL = file://\\%1\Public\My CA.crt
CriticAL = falSe
[CRLDistributionPoint]
URL = https://%1/Public/My CA.crl
URL = ftp://%1/Public/MyCA.crl
URL = file://\\%1\Public\My CA.crl
CriticAL = trUe
[CrossCertificateDistributionPointsExtension]
SyncDeltaTime = 600 ; in seconds
URL = https://%1/Public/My CCDP.crl
URL = ftp://%1/Public/MyCCDP.crl
URL = file://\\%1\Public\My CCDP.crl
CriticAL = yeS
[EnhancedKeyUsageExtension]
OID = 1.3.6.1.4.1.311.21.6 ; szOID_KP_KEY_RECOVERY_AGENT
OID = 1.3.6.1.4.1.311.10.3.9 ; szOID_ROOT_LIST_SIGNER
OID = 1.3.6.1.4.1.311.10.3.1 ; szOID_KP_CTL_USAGE_SIGNING
CriticAL = False
[basicconstraintsextension]
pathlength = 13
criticaL=falsE
[certsrv_server]
renewalkeylength=2048
RenewalValidityPeriodUnits=0x18
RenewalValidityPeriod=years
CRLPeriod = days
CRLPeriodUnits = 2
CRLDeltaPeriod = hours
CRLDeltaPeriodUnits = 4

Note

Name constraints are not supported in the CAPolicy.inf

See Also

Other Resources

Windows Server 2008 R2 CAPolicy.inf Syntax
Certification Authority Guidance
AD CS Step by Step Guide: Two Tier PKI Hierarchy Deployment
Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy