Install Policy (CAPolicy.inf) Template for Windows Server 2008 R2 Policy CA

While implementing PKI at my current employer, I used the Microsoft Press books extensively to develop our implementation strategy.  While doing so, I noticed that some of the scripts in the book had errors in them, so I ended up revising them to correct the errors and implement PKI with the policies we felt worked best in our environment.

The Install Policy below is specifically for a Policy CA in a three tier hierarchy.  With this policy, your Policy CA certificate will last 10 years and you will only need to update your CRL once a year, allowing you to keep the Policy CA offline all but a few minutes a year.

Since this is a Policy CA, we also include a link to the Certificate Practice Statement in the configuration.

Save the text below into a file named “CAPolicy.inf” (changing the items in bold to fit your environment) and place it in C:\Windows prior to adding the Active Directory Certificate Services role on your Policy CA.

[Version Intermediate CAPolicy]
Signature="$Windows NT$"


NOTICE=[CompanyName]  Certificate Practice Statement




2 Responses to “Install Policy (CAPolicy.inf) Template for Windows Server 2008 R2 Policy CA”

  1. the location to save the file to is incorrect. Should be c:\windows. Also, DiscreteSignatureAlgorithm should be AlternativeSignatureAlgorithm

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s