Install Policy (CAPolicy.inf) Template for Windows Server 2008 R2 Policy CA

While implementing PKI at my current employer, I used the Microsoft Press books extensively to develop our implementation strategy.  While doing so, I noticed that some of the scripts in the book had errors in them, so I ended up revising them to correct the errors and implement PKI with the policies we felt worked best in our environment.

The Install Policy below is specifically for a Policy CA in a three tier hierarchy.  With this policy, your Policy CA certificate will last 10 years and you will only need to update your CRL once a year, allowing you to keep the Policy CA offline all but a few minutes a year.

Since this is a Policy CA, we also include a link to the Certificate Practice Statement in the configuration.

Save the text below into a file named “CAPolicy.inf” (changing the items in bold to fit your environment) and place it in C:\Windows prior to adding the Active Directory Certificate Services role on your Policy CA.


[Version Intermediate CAPolicy]
Signature="$Windows NT$"

[PolicyStatementExtension]
Policies=[CompanyName]CPS

[[CompanyNameCPS]]
OID=1.3.6.1.4.1.311.509.3.1
NOTICE=[CompanyName]  Certificate Practice Statement
URL=http://WEBSERVER/Policies-Checklists-Procedures/

[certsrv_server]
RenewalKeyLength=2048
RenewalValidityPeriodUnits=10
RenewalValidityPeriod=years

CRLPeriod=weeks
CRLPeriodUnits=52
CRLOverlapPeriod=weeks
CRLOverlapUnits=2
CRLDeltaPeriodUnits=0
CRLDeltaPeriod=days

AlternativeSignatureAlgorithm=1

Advertisements

2 Responses to “Install Policy (CAPolicy.inf) Template for Windows Server 2008 R2 Policy CA”

  1. the location to save the file to is incorrect. Should be c:\windows. Also, DiscreteSignatureAlgorithm should be AlternativeSignatureAlgorithm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s