The CAPolicy.inf file provides Certificate Services configuration information, which is read during initial CA installation and whenever you renew a CA certificate. The CAPolicy.inf file defines settings specific to root CAs, as well as settings that affect all CAs in the CA hierarchy. The CAPolicy.inf file provides the following information for a root CA:
■ Certificate revocation list (CRL) publication points. When validating a certificate chain, the certificate chaining engine must validate every certificate in the chain. Rather than using the default CRL publication points, you can define custom revocation points based on your network's configuration. The actual order of the publication points is important because a client attempts to retrieve the CRL in the order defined in the CAPolicy.inf file.
■ CA certificate publication points. The certificate chaining engine might have to download the root CA's certificate. This section of the CAPolicy.inf file defines the publication points for the root CA's certificate. The actual order of the publication points is important because a client attempts to retrieve the CA certificate in the order defined in the CAPolicy.inf file.
■ Enhanced Key Usage. The CAPolicy.inf file can limit the application purposes of certificates issued by the CA. For example, if you limit the CA to issuing certificates for client authentication, server authentication, or secure e-mail, the CA cannot issue any certificates for the purpose of code signing.
■ The renewal configuration. The CAPolicy.inf defines the renewal key length and validity period for the root CA's certificate. Typically, this section of the CAPolicy.inf file is configured to match the initial key length and validity period defined for the root CA. Matching the initial key length and validity period ensures that the designed settings are not modified when the CA's key pair is renewed.
Note You can only designate the cryptographic service provider (CSP) used by the CA at installation time. You cannot change the CSP by modifying the CAPolicy.inf file.
The CAPolicy.inf file is also used in the installation of subordinate CAs in the hierarchy. The following settings in the file can be defined for both root and subordinate CAs:
■ Certificate practice statement (CPS) information. The CPS defines the operating procedures and practices employed at the CA, as well as at subordinate CAs, which enforce the certificate policies implemented at the CAs. The CPS is typically applied at:
■ The root CA in a single-tier CA hierarchy.
■ The combination policy CA/issuing CA in a two-tier CA hierarchy.
■ The policy CAs in a three-tier CA hierarchy.
■ CRL publication interval. The base CRL is published at the interval defined in the CAPolicy.inf file.
■ Delta CRL publication interval. The delta CRL is published at the interval defined in the CAPolicy.inf file. If the interval is defined as a value of zero, the publication of delta CRLs is disabled at the CA.
■ Basic Constraints. Limitations can be set on the number of certificates allowed below the CA in which the CAPolicy.inf file is defined. Basic Constraints protect against complex hierarchies that implement long certificate chains. They also indicate whether the certificate is issued to a CA or to an end entity other than a CA.
Was this article helpful?