Microsoft, Server 2003, Root CA Server, CAPolicy.inf

Posted on 2007-08-03
Last Modified: 2013-11-05
We are setting up a Standalone Root CA and I'm having problems with the CAPolicy.inf
Is this all I need? I've read the documentation but am kind of confused.

Signature= "$Windows NT$"

I have to manaul publish the cert and CRL in active directory right?
and I will have to do this every 26 weeks when the new CRL is published right?

Any help would be greatly appreciated. Thanks,
Question by:Hooznext
    LVL 31

    Accepted Solution

    u can make this also via commandline..triggered by the windows scheduler

    CRLPeriodUnits= Overall validity of the crl lists (26 weeks = a half year)
    LVL 1

    Author Comment

    So since this will be an offline CA i do not need to publish anything in the [CRLDistributionPoint} or in the [AuthorityInformationAccess]

    it says in microsofts documentation that if i don't use those then I must redeploy my entire PKI if my root is compromised.

    Any to restate I will need to bring the root ca online every six months copy the CRL and republish it in ActiveDirectory
    LVL 31

    Expert Comment

    have u got a link to this documentation?
    LVL 1

    Author Comment

    Its in the Windows Server 2003 PKI and Certificate Security Book by Microsoft.

    Here is the clip

    There are two strategies you can use when designing the CA certificate and CRL publications poings for a root CA. Choosing which strategy to follow depends on your organization's security policy and the PKI-enabled applications it deploys.
    The first strategy is to not publish CA certificate and CRL retrieval URLS in the root CA's certificate. By excluding the Authority Information Access (AIA) and CRL Disribution Point (CDP) extensions from the root CA certificate, you block the certificate chaining engine from checking the root CA certificate's revocation status. The root Ca certificate is designed as trusted by adding the certificate to the trusted root CA store at client computers. If the root CA certificate is compromised, you must redeploy your entire PKI rather than just revoke the root CA certificate.

    Featured Post

    6 Surprising Benefits of Threat Intelligence

    All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

    Join & Write a Comment

    by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
    Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    how to add IIS SMTP to handle application/Scanner relays into office 365.

    732 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now