asked on

CAPolicy.inf

We have a root enterprise CA . The validation period is about to expire. I have to to create CApolicy.inf file as listed below to extend the validation period.
I need experts help on OID and CRL area (raw), hope someone will put me on the right direction.
Where will get information about the followings from the existing server? or are they important ?

1. OID=
2. RenewalKeyLength=
3. CRL Period=

[Version]
Signature=”$Windows NT$”
[PolicyStatementExtension]
Policies=InternalPolicy
[InternalPolicy]
OID= 1.2.3.4.1455.67.89.5
URL=http://pki.bedrock.domain/pki/cps.html
[Certsrv_Server]
RenewalKeyLength=4096
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=20
CRLPeriod=Years
CRLPeriodUnits=20
CRLDeltaPeriod=Days
CRLDeltaPeriodUnits=0
LoadDefaultTemplates=0

Jakob Digranes

This is an existing CA Server?
Then there should be an existing CAPolicy.inf file there. Or wasn't it used last time this was setup? CAPolicy.inf is used to get the server identical every time.
IT's not needed, as you can set all aspects in Certification Authority

Check %windir%\CaPolicy.inf on server to see if it is present
OID sets policies for you CA Server - no need to change this for a regular internal PKI. What kind of certificates do you enroll and for what purposes?

the CRL is the location of Certificate Revocation list - the list that shows which certs are revoked.

CRL publication path can be set in Certificate Authority - but for ease of mind, consider using existing CRLs. Also I prefer using http:// only for URL publication

CRLPeriod=Years
CRLPeriodUnits=20
This one sets the CRL lifetime to 20 years. Which would be the same as not using CRL at all

CRLDeltaPeriod=Days
CRLDeltaPeriodUnits=0
Delta CRL is a CRL with cert revoked since last full published CRL. For internal PKI - there's absolutely no point in using this, as the CRL never gets large.
Here the CRL is set to 0 days - could just aswell remove lines from CAPolicy file

renewalkeylenght - what's the key size for certificate. For root 4096 is good, SubCA could do with 2048 bit.

sara2000

ASKER

It is an existing root CA and running on Windows 2008 . I do not see CApolicy.inf in c:\Windows folder.
I guess I have to create that file.

Mahesh

You actually don't need to define OID for root CA in policy.inf file unless you are creating public CA which will server 3rd parties
Renewal key length for root ca can be 4096, but 2048 would be good enough for certificates he issues to avoid load on workstation processors
When u keep crl period to 20 years, it means CA will ignore any revocations happens in next 20 years and whenever you revoke / renew / expire any certs, u need to manually update crl

sara2000

ASKER

So I can ignore the following from the .inf file?
[InternalPolicy]
OID= 1.2.3.4.1455.67.89.5
URL=http://pki.bedrock.domain/pki/cps.html

Mahesh

U need to remove lines from PolicystatementExtensions to URL

Because OID would be assigned to issuance policy and issuance policy is part of policy statement extensions

sara2000

ASKER

Thank you for your help.
Do I need the followings?
CRLDeltaPeriod=Days
CRLDeltaPeriodUnits=0
LoadDefaultTemplates=0

ASKER CERTIFIED SOLUTION

Mahesh

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

SOLUTION

Jakob Digranes

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

Mahesh

U cannot hide default cert templates which are already issued and listed under templates by issuing below line in inf file
LoadDefaultTemplates=0
The above command would be useful when you setup ca 1st time

Jakob Digranes

true! Missed the part where this is a cert renewal.
But a good tip is to verify CRL with pkiview.msc before reissuing to correct any changes