Install Policy (CAPolicy.inf) Template for Windows Server 2008 R2 Root CA

While implementing PKI at my current employer, I used the Microsoft Press books extensively to develop our implementation strategy.  While doing so, I noticed that some of the scripts in the book had errors in them, so I ended up revising them to correct the errors and implement PKI with the policies we felt worked best in our environment.

The Install Policy below is specifically for a Root CA in a three tier hierarchy.  With this policy, your Root CA certificate will last 20 years and you will only need to update your CRL once a year, allowing you to keep the Root CA offline all but a few minutes a year.

Copy the text below into a file named “CAPolicy.inf” and place it in C:\Windows prior to adding the Active Directory Certificate Services role on your Root CA.

[Version - ROOT CAPolicy]
Signature="$Windows NT$"




2 Responses to “Install Policy (CAPolicy.inf) Template for Windows Server 2008 R2 Root CA”

  1. Hello Rebecca,
    after I read your post, it seems to me this can solve a problem I have, but I’d like to ask you for further details. In the company I’ve been working for, we set up a web application that requires the customers to use certificates.
    Then we prepared an Enterprise CA on a Windows Server 2008 R2 machine, which issues root and personal certificates.
    My problem is that during the CA installation, we set up the validity period of the root certificate to 1 year only, while a common value for this parameter is 5 years.
    By using your CAPolicy,inf file, is there any chance to change the root certificate validity parameter, without re-installing the whole CA and without re-sending new root certificates to the already affiliated customers?
    Thanks in advance for any help you may provide.

    • I don’t believe that is possible, I think you’ll have to reinstall the CA in order to extend it to five years. If you backup your key pair first and use that during installation though, you may be able to simply renew that key pair for the longer period after the CA installation (I’ve never tried that so that’s a bit of a guess). However, there is really no getting around sending out the new, extended CA to all of your customers. Here’s a good article on CA renewals:

      If you want my advice, do the whole thing over again from scratch, it’ll be good practice ; )

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s