It is imperative that you implement a CAPolicy.inf file when installing the root CA in a multi-tier CA hierarchy. The CAPolicy.inf file is the only way to define specific configuration settings, such as implementing an empty CDP and AIA extension in the root CA certificate.
This CAPolicy.inf file for Fabrikam Industries Inc. makes the following assumptions:
■ The validity period of the root CA certificate is 20 years.
■ Base CRLs are published every 26 weeks.
■ Delta CRLs are disabled.
■ The root CA does not contain a CDP or an AIA extension to prevent revocation checking of the root CA certificate.
Based on these assumptions, the following CAPolicy.inf file can be installed in the %windir% of the FABINCCA01 computer:
[certsrv_server] renewalkeylength=4096 RenewalValidityPeriodUnits=0x20 RenewalValidityPeriod=years
CRLPeriod=weeks CRLPeriodUnits=26 CRLDeltaPeriodUnits=0 CRLDeltaPeriod=days
Note This example assumes that Fabrikam Industries Inc. has an existing Active Directory deployment with a single domain named fabrikam.com. It does not matter if the domain is a Windows 2000 or a Windows Server 2003 domain as long as the Active Directory modifications discussed in Chapter 4, "Preparing an Active Directory Environment," are applied.
Was this article helpful?