CAPolicy.Inf

Options for CA Policy.inf

[Version]

Name	Value	Description	Required
Signature	”$Windows NT$”	Version info	Yes

[certsrv_server]

Name	Value	Description	From Version
RenewalKeyLength	512,1024,2048,4096	Key Length when CA Certificate is renewed	2003
RenewalValidityPeriod	days,weeks,years	Validation time for the next CA Certificate issued	2003
RenewalValidityPeriodUnits	(number)	Validation time for the next CA Certificate issued	2003
CRLPeriod	days,weeks,years	-	2003
CRLPeriodUnits	(number)	-	2003
CRLDeltaPeriod	days,weeks,years	-	2003
CRLDeltaPeriodUnits	(number)	-	2003
ClockSkewMinutes	(numbers)	Effective time set in CRL minus x minutes	2008
LoadDefaultTemplates	0/1 or True/False	If true, defaults templates will be loaded and automatically deployed	2008
AlternateSignatureAlgorithm	0/1 or True/False	Enables PKCS #1 V2.1 Signatre format on both CA certificate and certificates issued,0=SHA384RSA,1=RSASSA-PSS(Not Supported by Cisco+++)	2008
CNGHashAlgorithm	SHA1,SHA256, SHA384,SHA512	Hash Algorithm used to in certificates issued	2008
ForceUTF8	0/1 or True/False	Force relative distinguished names (RDNs) in Subject and Issuer names to be UTF-8	2008
EnableKeyCounting	0/1 or True/False	CA will increment a counter every time a the CA's signing key is used. (Only supported by some HSM modules, do not enable on software CSP's)	2008

[BasicConstraintsExtension]

Name	Value	Description	From Version
PathLength	(number)	Number of SUBCA's. set to 0 in the LAST CA, add one for each CA above in the PKI chain	2003
Critical	(yes/no,1/0/true/false)	—	2003

[CrossCertificateDistributionPointsExtension]

Name	Value	Description	From Version
SyncDeltaTime	(number)	How often in seconds the URL is updated	2008
URL	(URL)	http location of partner CA certificate	2008
Critical	(yes/no,1/0/true/false)	—	2003

Geir's Wiki of things to remember