Appendix A – Policy.Inf

Applies To: Windows Server 2003 with SP1

[Version]
Signature= "$Windows NT$"
; ===========================================================
; Request Attributes
; top level section
; ===========================================================
[RequestAttributes]
CertificateTemplate = CrossCA
AttributeName1 = AttributeValue1
AttributeName2 = AttributeValue2
; ===========================================================
; NameConstraintsExcluded Name Constraints Extension
; szOID_NAME_CONSTRAINTS   2.5.29.30
; top level section
; ===========================================================
[NameConstraintsExtension]
Include = NameConstraintsPermitted
Exclude = NameConstraintsExcluded
Critical = TrUe
[NameConstraintsPermitted]
; list of user defined permitted DNS names
; the numeric second and third arguments are optional
; when present, the second argument is the minimum depth
; when present, the third argument is the maximum depth
; NOTE: Crypto APIs fail to process cert chains when the minimum or maximum
; depth is specified!
DNS = foo@domain.com
DNS = domain1.domain.com
email=me@you.com
UPN=user@domain.com
; the first is an IP address, the second is an IP address mask
IPADDRESS=255.255.18.172,255.255.255.0
ipaddress=::255.255.18.172,::255.255.255.0
ipaddress=1234:5678:9abc:def0:3210:7654:ba98:fedc,1234:5678:9abc:def0:3210:7654:ba98:fedc
ipaddress=::5678:9abc:def0:3210:7654:ba98:fedc,1234:5678:9abc:def0:3210:7654:ba98:fedc
ipaddress=1234::def0:3210:7654:ba98:fedc,1234:5678:9abc:def0:3210:7654:ba98:fedc
ipaddress=1234:5678:9abc:def0:3210:7654:ba98::,1234:5678:9abc:def0:3210:7654:ba9:fedc
ipaddress=1234:5678:9abc:def0:3210:7654::,1234:5678:9abc:def0:3210:7654:ba98:fedc
url=https://localhost/certsrv/default.html
url=file://\\localhost\certsrv\default.html
DIRECTORYNAME = "cn=mycn,ou=myou,s=mystate,c=us"
[NameConstraintsExcluded]
; list of user defined excluded DNS names
DNS = domain.com
; ===========================================================
; Policy (CPS) Extension
; szOID_CERT_POLICIES   2.5.29.32
; top level section
; ===========================================================
[PolicyStatementExtension]
; list of user defined policies
Policies = LegalPolicy, LimitedUsePolicy, ExtraPolicy, OIDPolicy
CRITICAL = FALSE
[LegalPolicy]
; each policy has one OID, and zero or more Notice and URL keys
OID = 1.3.6.1.4.1.311.21.43
Notice = "Legal policy statement text"
[LimitedUsePolicy]
OID = 1.3.6.1.4.1.311.21.47
URL = "https://http.site.com/some where/default.asp"
URL = "ftp://ftp.site.com/some where else/default.asp"
Notice = "Limited use policy statement text."
URL = "ldap://ldap.site.com/some where else again/default.asp"
[ExtraPolicy]
OID = 1.3.6.1.4.1.311.21.53
URL = https://extra.site.com/Extra Policy/default.asp
[oidpolicy]
OID = 1.3.6.1.4.1.311.21.55
; ===========================================================
; Policy Mapping Extension
; szOID_POLICY_MAPPINGS   2.5.29.33
; top level section
; ===========================================================
[PolicyMappingsExtension]
; list of user defined policy mappings
; first OID is Issuer Domain Policy OID, second is Subject Domain Policy OID
; each entry maps one foreign policy OID to local
1.3.6.1.4.1.311.21.53 = 1.2.3.4.87
1.3.6.1.4.1.311.21.54 = 1.2.3.4.89
critical = yEs
; ===========================================================
; Policy Constraints Extension
; szOID_POLICY_CONSTRAINTS   2.5.29.36
; top level section
; ===========================================================
[PolicyConstraintsExtension]
; consists of two optional DWORDs
; They refer to the depth of the CA hierarchy that requires explicit policy
; and inhibits Policy Mapping
RequireExplicitPolicy  = 3
InhibitPolicyMapping = 5
; ===========================================================
; Application Policy (CPS) Extension
; szOID_APPLICATION_CERT_POLICIES   1.3.6.1.4.1.311.21.10
; top level section
; ===========================================================
[ApplicationPolicyStatementExtension]
; list of user defined policies
Policies = AppLegalPolicy, AppLimitedUsePolicy, AppExtraPolicy, AppOIDPolicy
CRITICAL = FALSE
[AppLegalPolicy]
; each policy has one OID, and zero or more Notice and URL keys
OID = 1.3.6.1.4.1.311.21.54
Notice = "Application Legal policy statement text"
[AppLimitedUsePolicy]
OID = 1.3.6.1.4.1.311.21.58
URL = "https://http.site.com/application some where/default.asp"
URL = "ftp://ftp.site.com/application some where else/default.asp"
Notice = "Application Limited use policy statement text."
URL = "ldap://ldap.site.com/application some where else again/default.asp"
[AppExtraPolicy]
OID = 1.3.6.1.4.1.311.21.64
URL = https://extra.site.com/Application Extra Policy/default.asp
[Appoidpolicy]
OID = 1.3.6.1.4.1.311.21.66
; ===========================================================
; Application Policy Mapping Extension
; szOID_APPLICATION_POLICY_MAPPINGS   1.3.6.1.4.1.311.21.11
; top level section
; ===========================================================
[ApplicationPolicyMappingsExtension]
; list of user defined application policy mappings
; first OID is Issuer Domain Policy OID, second is Subject Domain Policy OID
; each entry maps one foreign policy OID to local
1.3.6.1.4.1.311.21.64 = 1.2.3.4.98
1.3.6.1.4.1.311.21.65 = 1.2.3.4.100
critical = trUE
; ===========================================================
; Application Policy Constraints Extension
; szOID_APPLICATION_POLICY_CONSTRAINTS   1.3.6.1.4.1.311.21.12
; top level section
; ===========================================================
[ApplicationPolicyConstraintsExtension]
; consists of two optional DWORDs
; They refer to the depth of the CA hierarchy that requires explicit policy
; and inhibits Policy Mapping
RequireExplicitPolicy  = 6
InhibitPolicyMapping = 10
; ===========================================================
; Basic Constraints Extension
; szOID_BASIC_CONSTRAINTS2   2.5.29.19
; top level section
; ===========================================================
[BasicConstraintsExtension]
; Subject Type is not supported  always set to CA
; maximum subordinate CA path length
PathLength = 3
[EnhancedKeyUsageExtension]
;OID = 1.3.6.1.4.1.311.21.6   ; szOID_KP_KEY_RECOVERY_AGENT
;OID = 1.3.6.1.4.1.311.10.3.9   ; szOID_ROOT_LIST_SIGNER
;OID = 1.3.6.1.4.1.311.10.3.1   ; szOID_KP_CTL_USAGE_SIGNING
; The following match the [ApplicationPolicyStatementExtension] section:
OID = 1.3.6.1.4.1.311.21.54
OID = 1.3.6.1.4.1.311.21.58
OID = 1.3.6.1.4.1.311.21.64
OID = 1.3.6.1.4.1.311.21.66
CriticAL = False
; ===========================================================
; Cross Certificate Distribution Points Extension
; szOID_CROSS_CERT_DIST_POINTS   1.3.6.1.4.1.311.10.9.1
; top level section
; ===========================================================
[CrossCertificateDistributionPointsExtension]
SyncDeltaTime = 24
URL = https://%1/Public/My CA.crt
URL = ftp://foo.com/Public/MyCA.crt
URL = file://\\%1\Public\My CA.crt
CriticAL = false