CAPolicy.inf necessary?

Ming Cheung 421 Reputation points
2020-12-28T09:44:39.747+00:00

Does CAPolicy.inf necessary?

some article say deployment can be done with only Next Next Steps,
Microsoft docu only teach with using CAPolicy.inf,
are there any different between with or without CAPolicy?

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,356 questions
Accepted answer
  1. Vadims Podāns 8,391 Reputation points MVP
    2020-12-28T10:30:52.987+00:00

    CAPolicy.inf file is only necessary when you need to make some pre-configuration which is not available in UI. If there is nothing special you want to pre-configure, then you don't need it. Most often reason when you need it -- when you want to include certificate policies extension in CA certificate. It is not configurable from UI.

    1 person found this answer helpful.

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Thameur-BOURBITA 15,816 Reputation points
    2020-12-28T12:10:21.353+00:00

    Hi,

    The CAPolicy.inf file defines the extensions, constraints, and other configuration settings that are applied to a root CA certificate and all certificates issued by the root CA. You can get more details about syntax and settings can be added on this file : prepare-the-capolicy-inf-file

    It's not necessary but recommended to be able to setup some settings not supported by UI and have a template of CA settings in order to simplify the CA installation and migration.

    ----------

    Please don't forget to mark helpful reply as answer

  2. Hannah Xiong 6,176 Reputation points
    2020-12-29T02:37:28.403+00:00

    Hello,

    Thank you so much for posting here.

    The CAPolicy.inf contains various settings that are used when installing the Active Directory Certification Service (ADCS) or when renewing the CA certificate.The CAPolicy.inf file is not required to install AD CS with the default settings, but in many cases the default settings are insufficient. The CAPolicy.inf can be used to configure CAs in these more complicated deployments.

    CAPolicy.inf is still necessary if you want to define some properties which are not configurable by using other means, like renewal settings, signature format for CA certificate and so on.

    Best regards,
    Hannah Xiong

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  3. Ming Cheung 421 Reputation points
    2020-12-29T08:23:03.37+00:00

    thank you all guys, but i can only mark accept to the 1st answer