Jump to content


  • 0
Bridge

CAPolicy.inf ? Issuing CA

Question

I'm going through the guide now and was wondering if the CAPolicy.inf for Part 5 (https://www.windows-noob.com/forums/topic/16256-how-can-i-configure-pki-in-a-lab-on-windows-server-2016-part-5/) is what is recommended/best-practice for a production environment?

I plan on replacing the OID with one from IANA, and obviously replacing the rest of the URL to match our CPS, but is that all that is needed? Should anything else be added? I noticed on some Microsoft blogs/guides it has CRL and AIA info included in it, and various other settings. Just wondering if there's any other relevant information on this. Thank you!

 

Share this post


Link to post
Share on other sites

2 answers to this question

Recommended Posts

  • 0

glad to see you are doing my lab, it is intended for use in a Lab environment, i'd recommend consulting with a PKI expert to get the answers to your capolicy.inf question

that said, here's microsoft documentation on the subject

https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/prepare-the-capolicy-inf-file

Share this post


Link to post
Share on other sites

  • 0

Thanks for the link, and the lab is definitely very useful and better than some other ones I've seen. I'll go through it some more. It seems like there's very little info on this specific aspect available on the internet regarding CApolicy.inf. I'm probably overthinking it but don't want to get it wrong.

In other examples like Brian Komars book I see he adds more info under [certsrv_server] like "CRLPeriod", "CRLPeriodUnits", etc. and was wondering if there was a reason they were excluded on yours, if they are no longer needed or are set elsewhere, or if it's just due to it being a lab environment and those are the bare minimum settings needed for CAPolicy.inf

EDIT: Just so other people who have the same question, I was able to find out that the only thing the CApolicy is needed for is to overwrite the few parameters that otherwise can't be configured via Powershell/GUI. So you're probably going to find a whole array of CApolicy files that are all technically correct, production-quality, they just contain varying levels of detail, and it's actually better to set them using CERTUTIL instead of defining them in the CAPolicy.inf file.

Edited by Bridge
  • Haha 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.