This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 43%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMC%3C/text%3E%3C/svg%3E)
Does CAPolicy.inf necessary?
some article say deployment can be done with only Next Next Steps,
Microsoft docu only teach with using CAPolicy.inf,
are there any different between with or without CAPolicy?
The UI doesn´t provide all possible settings a capolicy.inf can provide. e.g. the serial. If you are registered at IANA and you have a PEN number (which you should it´s free ;-)
CAPolicy.inf file is only necessary when you need to make some pre-configuration which is not available in UI. If there is nothing special you want to pre-configure, then you don't need it. Most often reason when you need it -- when you want to include certificate policies extension in CA certificate. It is not configurable from UI.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 80%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
Hi,
The CAPolicy.inf file defines the extensions, constraints, and other configuration settings that are applied to a root CA certificate and all certificates issued by the root CA. You can get more details about syntax and settings can be added on this file : prepare-the-capolicy-inf-file
It's not necessary but recommended to be able to setup some settings not supported by UI and have a template of CA settings in order to simplify the CA installation and migration.
----------
Please don't forget to mark helpful reply as answer
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 16%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHX%3C/text%3E%3C/svg%3E)
Hello,
Thank you so much for posting here.
The CAPolicy.inf contains various settings that are used when installing the Active Directory Certification Service (ADCS) or when renewing the CA certificate.The CAPolicy.inf file is not required to install AD CS with the default settings, but in many cases the default settings are insufficient. The CAPolicy.inf can be used to configure CAs in these more complicated deployments.
CAPolicy.inf is still necessary if you want to define some properties which are not configurable by using other means, like renewal settings, signature format for CA certificate and so on.
Best regards,
Hannah Xiong
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
thank you all guys, but i can only mark accept to the 1st answer