Install Policy (CAPolicy.inf) Template for Windows Server 2008 R2 Issuing CA

While implementing PKI at my current employer, I used the Microsoft Press books extensively to develop our implementation strategy. While doing so, I noticed that some of the scripts in the book had errors in them, so I ended up revising them to correct the errors and implement PKI with the policies we felt worked best in our environment. For more complete information on the CAPolicy.inf file, see the excellent “Windows Server 2008 CAPolicy.inf Syntax” Microsoft blog post.

The Install Policy below is specifically for an Issuing CA in a three tier hierarchy. With this policy, your Issuing CA will issue certificates lasting up to 2 years and your CRL will need to be updated at least every three days (should be set to update automatically anyway).

Save the text below into a file named “CAPolicy.inf” and place it in C:\Windows prior to adding the Active Directory Certificate Services role on your Issuing CA.


[Version Issuing CAPolicy]
Signature="$Windows NT$"

[certsrv_server]
renewalkeylength=2048
RenewalValidityPeriodUnits=years
RenewalValidityPeriod=2

CRLPeriod=3
CRLPeriodUnits=days
CRLOverlapPeriod=4
CRLOverlapUnits=hours
CRLDeltaPeriod=12
CRLDeltaPeriodUnits=hours

AlternativeSignatureAlgorithm=1
LoadDefaultTemplates=0

Advertisements

No comments yet... Be the first to leave a reply!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s