CAPolicy.inf

We have a root enterprise CA . The validation period is about to expire. I have to to create CApolicy.inf file as listed below to extend the validation period.
I need experts help on OID and CRL area (raw), hope someone will put me on the right direction.
Where will get information about the followings from the existing server? or are they important ?

1. OID=
2. RenewalKeyLength=
3. CRL Period=
 



[Version]
Signature=”$Windows NT$”
[PolicyStatementExtension]
Policies=InternalPolicy
[InternalPolicy]
OID= 1.2.3.4.1455.67.89.5
URL=http://pki.bedrock.domain/pki/cps.html
[Certsrv_Server]
RenewalKeyLength=4096
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=20
CRLPeriod=Years
CRLPeriodUnits=20
CRLDeltaPeriod=Days
CRLDeltaPeriodUnits=0
LoadDefaultTemplates=0
LVL 2
sara2000Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jakob DigranesSenior ConsultantCommented:
This is an existing CA Server?
Then there should be an existing CAPolicy.inf file there. Or wasn't it used last time this was setup? CAPolicy.inf is used to get the server identical every time.
IT's not needed, as you can set all aspects in Certification Authority

Check %windir%\CaPolicy.inf on server to see if it is present
OID sets policies for you CA Server - no need to change this for a regular internal PKI. What kind of certificates do you enroll and for what purposes?

the CRL is the location of Certificate Revocation list - the list that shows which certs are revoked.

CRL publication path can be set in Certificate Authority - but for ease of mind, consider using existing CRLs. Also I prefer using http:// only for URL publication

CRLPeriod=Years
CRLPeriodUnits=20
This one sets the CRL lifetime to 20 years. Which would be the same as not using CRL at all

CRLDeltaPeriod=Days
CRLDeltaPeriodUnits=0
Delta CRL is a CRL with cert revoked since last full published CRL. For internal PKI - there's absolutely no point in using this, as the CRL never gets large.
Here the CRL is set to 0 days - could just aswell remove lines from CAPolicy file

renewalkeylenght - what's the key size for certificate. For root 4096 is good, SubCA could do with 2048 bit.
0
sara2000Author Commented:
It is an existing root CA and running on Windows 2008 . I do not see CApolicy.inf in c:\Windows folder.
I guess I have to create that file.
0
MaheshArchitectCommented:
You actually don't need to define OID for root CA in policy.inf file unless you are creating public CA which will server 3rd parties
Renewal key length for root ca can be 4096, but 2048 would be good enough for certificates he issues to avoid load on workstation processors
When u keep crl period to 20 years, it means CA will ignore any revocations happens in next 20 years and whenever you revoke / renew / expire any certs, u need to manually update crl
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

sara2000Author Commented:
So I can ignore the following from the .inf file?
[InternalPolicy]
OID= 1.2.3.4.1455.67.89.5
URL=http://pki.bedrock.domain/pki/cps.html
0
MaheshArchitectCommented:
U need to remove lines from PolicystatementExtensions to URL

Because OID would be assigned to issuance policy and issuance policy is part of policy statement extensions
0
sara2000Author Commented:
Thank you for your help.
Do I need the followings?
CRLDeltaPeriod=Days
 CRLDeltaPeriodUnits=0
 LoadDefaultTemplates=0
0
MaheshArchitectCommented:
No need of all above fields
CRL Delta period and units can be confirmed later on from gui as well
If you don't want ca to start issuing certs immediately after deployment, u can put "LoadDefaultTemplates=0" to avoid issue certs before you configure any other CA aspects
In that case you need to publish required templates manually
I don't see any benefit of this setting either
As if this is enterprise AD integrated CA, it must have already working / fully configured and already have issued cert templates
In case this is standalone root ca, it don't use templates
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jakob DigranesSenior ConsultantCommented:
Sorry, been offline. Mahesh is correct. OID can be removed. Delta CRL you should drop, as I said earlier in the post

I always configure Ca without any templates to begin with. If you accidently enroll certs to pcs and users, they’re cumbersome to remove from pcs later on
0
MaheshArchitectCommented:
U cannot hide default cert templates which are already issued and listed under templates by issuing below line in inf file
LoadDefaultTemplates=0
The above command would be useful when you setup ca 1st time
0
Jakob DigranesSenior ConsultantCommented:
true! Missed the part where this is a cert renewal.
But a good tip is to verify CRL with pkiview.msc before reissuing to correct any changes
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.