Link to home
Start Free TrialLog in
Avatar of Hooznext
Hooznext

asked on

Microsoft, Server 2003, Root CA Server, CAPolicy.inf

We are setting up a Standalone Root CA and I'm having problems with the CAPolicy.inf
Is this all I need? I've read the documentation but am kind of confused.

[Version]
Signature= "$Windows NT$"
[Certsrv_Server]
RenewalKeyLength=4096
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=5
CRLPeriod=Weeks
CRLPeriodUnits=26
CRLDeltaPeriodUnits=0
CRLDeltaPeriod=days
[CRLDistributionPoint]
Empty=True
[AuthorityInformationAccess]
Empty=True

I have to manaul publish the cert and CRL in active directory right?
and I will have to do this every 26 weeks when the new CRL is published right?

Any help would be greatly appreciated. Thanks,
Matt
ASKER CERTIFIED SOLUTION
Avatar of merowinger
merowinger
Flag of Germany image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Hooznext
Hooznext

ASKER

So since this will be an offline CA i do not need to publish anything in the [CRLDistributionPoint} or in the [AuthorityInformationAccess]

it says in microsofts documentation that if i don't use those then I must redeploy my entire PKI if my root is compromised.

Any to restate I will need to bring the root ca online every six months copy the CRL and republish it in ActiveDirectory
have u got a link to this documentation?
Its in the Windows Server 2003 PKI and Certificate Security Book by Microsoft.

Here is the clip

There are two strategies you can use when designing the CA certificate and CRL publications poings for a root CA. Choosing which strategy to follow depends on your organization's security policy and the PKI-enabled applications it deploys.
The first strategy is to not publish CA certificate and CRL retrieval URLS in the root CA's certificate. By excluding the Authority Information Access (AIA) and CRL Disribution Point (CDP) extensions from the root CA certificate, you block the certificate chaining engine from checking the root CA certificate's revocation status. The root Ca certificate is designed as trusted by adding the certificate to the trusted root CA store at client computers. If the root CA certificate is compromised, you must redeploy your entire PKI rather than just revoke the root CA certificate.