Standalone root CA - do I need to use the capolicy.inf file?

Hi there,

I am currently planning a PKI implementation for a client who wishes to use
certificates primarily for Exchange, OCS and SharePoint. It is possible it
will be used for other purposes in the future.

My plan is to install a standalone root CA which I will turn off, and
install a subordinate Enterprise CA, according to what I think are MS best
practices.

My question is - do I need to use a capolicy.inf file when I create my
standalone root CA, or can I do without it? What are the advantages and
disadvantages?

Thanks in advance.

 

With W2K3, you will want to use one, as this is the only way to supress the
AIA/CDP fields within the root CA cert. W2k8 do not put these in by default,
but it is still a great idea. You can control key size requirements,
lifetimes, etc, and if anyone (besides you) decides to renew the CA cert and
the CAPolicy.inf file is still in place - you can be a little more assured
that it will renew with the same requirements you had when it was initially
keyed.

"johnny_mango" <johnnymango@discussions.microsoft.com> wrote in message
news:3DA1BF0E-22EA-43A7-85CD-C8BA01FBA830@microsoft.com...<!--coloro:blue--><span style="color:blue <!--/coloro-->
> Hi there,
>
> I am currently planning a PKI implementation for a client who wishes to
> use
> certificates primarily for Exchange, OCS and SharePoint. It is possible it
> will be used for other purposes in the future.
>
> My plan is to install a standalone root CA which I will turn off, and
> install a subordinate Enterprise CA, according to what I think are MS best
> practices.
>
> My question is - do I need to use a capolicy.inf file when I create my
> standalone root CA, or can I do without it? What are the advantages and
> disadvantages?
>
> Thanks in advance. <!--colorc--><!--/colorc-->

 

Thanks Steve,

If I were to use an Enterprise Root CA, would it still be advisable to use
this file? Would I just create it leaving the two fields you mention empty,
and that's the end of the story?

Thanks.

"Steve" wrote:
<!--coloro:blue--><span style="color:blue <!--/coloro-->
> With W2K3, you will want to use one, as this is the only way to supress the
> AIA/CDP fields within the root CA cert. W2k8 do not put these in by default,
> but it is still a great idea. You can control key size requirements,
> lifetimes, etc, and if anyone (besides you) decides to renew the CA cert and
> the CAPolicy.inf file is still in place - you can be a little more assured
> that it will renew with the same requirements you had when it was initially
> keyed.
>
> "johnny_mango" <johnnymango@discussions.microsoft.com> wrote in message
> news:3DA1BF0E-22EA-43A7-85CD-C8BA01FBA830@microsoft.com...<!--coloro:green--><span style="color:green <!--/coloro-->
> > Hi there,
> >
> > I am currently planning a PKI implementation for a client who wishes to
> > use
> > certificates primarily for Exchange, OCS and SharePoint. It is possible it
> > will be used for other purposes in the future.
> >
> > My plan is to install a standalone root CA which I will turn off, and
> > install a subordinate Enterprise CA, according to what I think are MS best
> > practices.
> >
> > My question is - do I need to use a capolicy.inf file when I create my
> > standalone root CA, or can I do without it? What are the advantages and
> > disadvantages?
> >
> > Thanks in advance. <!--colorc--><!--/colorc-->
> <!--colorc--><!--/colorc-->

 

It´s weird. I decided to undo my test Enterprise CA, which I created without
the CAPolicy.inf file, as it was producing an error ocasionally, about a
temporary CA certificate which it said it was using.

Re-doing things, I decided to use the CApolicy file as per Best Practices
for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure in
the root standalone CA section (don´t think the syntax matters if it is an
Enterprise or standalone) and I noticed no difference.

Specifically:
1. It didn´t respect the key length I put in CAPolicy
2. It still marks the same error in the Event Viewer
3. The extensions tab still shows all the locations for CDP and AIA

What can I be doing wrong?

"johnny_mango" wrote:
<!--coloro:blue--><span style="color:blue <!--/coloro-->
> Thanks Steve,
>
> If I were to use an Enterprise Root CA, would it still be advisable to use
> this file? Would I just create it leaving the two fields you mention empty,
> and that's the end of the story?
>
> Thanks.
>
> "Steve" wrote:
> <!--coloro:green--><span style="color:green <!--/coloro-->
> > With W2K3, you will want to use one, as this is the only way to supress the
> > AIA/CDP fields within the root CA cert. W2k8 do not put these in by default,
> > but it is still a great idea. You can control key size requirements,
> > lifetimes, etc, and if anyone (besides you) decides to renew the CA cert and
> > the CAPolicy.inf file is still in place - you can be a little more assured
> > that it will renew with the same requirements you had when it was initially
> > keyed.
> >
> > "johnny_mango" <johnnymango@discussions.microsoft.com> wrote in message
> > news:3DA1BF0E-22EA-43A7-85CD-C8BA01FBA830@microsoft.com...<!--coloro:darkred--><span style="color:darkred <!--/coloro-->
> > > Hi there,
> > >
> > > I am currently planning a PKI implementation for a client who wishes to
> > > use
> > > certificates primarily for Exchange, OCS and SharePoint. It is possible it
> > > will be used for other purposes in the future.
> > >
> > > My plan is to install a standalone root CA which I will turn off, and
> > > install a subordinate Enterprise CA, according to what I think are MS best
> > > practices.
> > >
> > > My question is - do I need to use a capolicy.inf file when I create my
> > > standalone root CA, or can I do without it? What are the advantages and
> > > disadvantages?
> > >
> > > Thanks in advance. <!--colorc--><!--/colorc-->
> > <!--colorc--><!--/colorc--><!--colorc--><!--/colorc-->