CAPolicy.inf necessary?

Ming Cheung 421 Reputation points

Does CAPolicy.inf necessary?

some article say deployment can be done with only Next Next Steps,
Microsoft docu only teach with using CAPolicy.inf,
are there any different between with or without CAPolicy?

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,760 questions
{count} votes

Accepted answer
  1. Vadims Podāns 9,116 Reputation points MVP

    CAPolicy.inf file is only necessary when you need to make some pre-configuration which is not available in UI. If there is nothing special you want to pre-configure, then you don't need it. Most often reason when you need it -- when you want to include certificate policies extension in CA certificate. It is not configurable from UI.

    1 person found this answer helpful.
    0 comments No comments

3 additional answers

Sort by: Most helpful
  1. Thameur-BOURBITA 32,606 Reputation points


    The CAPolicy.inf file defines the extensions, constraints, and other configuration settings that are applied to a root CA certificate and all certificates issued by the root CA. You can get more details about syntax and settings can be added on this file : prepare-the-capolicy-inf-file

    It's not necessary but recommended to be able to setup some settings not supported by UI and have a template of CA settings in order to simplify the CA installation and migration.


    Please don't forget to mark helpful reply as answer

    1 person found this answer helpful.
    0 comments No comments

  2. Hannah Xiong 6,241 Reputation points


    Thank you so much for posting here.

    The CAPolicy.inf contains various settings that are used when installing the Active Directory Certification Service (ADCS) or when renewing the CA certificate.The CAPolicy.inf file is not required to install AD CS with the default settings, but in many cases the default settings are insufficient. The CAPolicy.inf can be used to configure CAs in these more complicated deployments.

    CAPolicy.inf is still necessary if you want to define some properties which are not configurable by using other means, like renewal settings, signature format for CA certificate and so on.

    Best regards,
    Hannah Xiong


    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.
    0 comments No comments

  3. Ming Cheung 421 Reputation points

    thank you all guys, but i can only mark accept to the 1st answer

    0 comments No comments