• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1256
  • Last Modified:

Microsoft, Server 2003, Root CA Server, CAPolicy.inf

We are setting up a Standalone Root CA and I'm having problems with the CAPolicy.inf
Is this all I need? I've read the documentation but am kind of confused.

[Version]
Signature= "$Windows NT$"
[Certsrv_Server]
RenewalKeyLength=4096
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=5
CRLPeriod=Weeks
CRLPeriodUnits=26
CRLDeltaPeriodUnits=0
CRLDeltaPeriod=days
[CRLDistributionPoint]
Empty=True
[AuthorityInformationAccess]
Empty=True

I have to manaul publish the cert and CRL in active directory right?
and I will have to do this every 26 weeks when the new CRL is published right?

Any help would be greatly appreciated. Thanks,
Matt
0
Hooznext
Asked:
Hooznext
  • 2
  • 2
1 Solution
 
merowingerCommented:
u can make this also via commandline..triggered by the windows scheduler
http://technet2.microsoft.com/windowsserver/en/library/073732b5-80f0-4cf0-bc8e-d8e055ce26491033.mspx?mfr=true

CRLPeriodUnits= Overall validity of the crl lists (26 weeks = a half year)
0
 
HooznextAuthor Commented:
So since this will be an offline CA i do not need to publish anything in the [CRLDistributionPoint} or in the [AuthorityInformationAccess]

it says in microsofts documentation that if i don't use those then I must redeploy my entire PKI if my root is compromised.

Any to restate I will need to bring the root ca online every six months copy the CRL and republish it in ActiveDirectory
0
 
merowingerCommented:
have u got a link to this documentation?
0
 
HooznextAuthor Commented:
Its in the Windows Server 2003 PKI and Certificate Security Book by Microsoft.

Here is the clip

There are two strategies you can use when designing the CA certificate and CRL publications poings for a root CA. Choosing which strategy to follow depends on your organization's security policy and the PKI-enabled applications it deploys.
The first strategy is to not publish CA certificate and CRL retrieval URLS in the root CA's certificate. By excluding the Authority Information Access (AIA) and CRL Disribution Point (CDP) extensions from the root CA certificate, you block the certificate chaining engine from checking the root CA certificate's revocation status. The root Ca certificate is designed as trusted by adding the certificate to the trusted root CA store at client computers. If the root CA certificate is compromised, you must redeploy your entire PKI rather than just revoke the root CA certificate.
0

Featured Post

NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now