This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 43%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMC%3C/text%3E%3C/svg%3E)
i want to create CAPolicy.ini, but cannot find any detail about
[InternalPolicy]
[PolicySyaymentExtension]
https://learn.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/prepare-the-capolicy-inf-file
even offical document from microsoft, it has no detail like what is the value for ?
what will use this value, where will the value apply for?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Hello @Ming Cheung ,
Thank you for posting here.
For deploying one-tier PKI or two-tier PKI and creating CAPolicy.inf, you can refer to links below.
ADCS Step by Step Guide: Single Tier PKI Hierarchy Deployment
https://social.technet.microsoft.com/wiki/contents/articles/11750.adcs-step-by-step-guide-single-tier-pki-hierarchy-deployment.aspx
AD CS Step by Step Guide: Two Tier PKI Hierarchy Deployment
https://social.technet.microsoft.com/wiki/contents/articles/15037.ad-cs-step-by-step-guide-two-tier-pki-hierarchy-deployment.aspx
Hope the information above is helpful.
Should you have any question or concern, please feel free to let us know.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Hi Daisy
i check the second link "AD CS Step by Step Guide: Two Tier PKI Hierarchy Deployment"
on topic "Publish the Root CA Certificate and CRL"
i see [certutil -f -dspublish "A:\CA01_Fabrikam Root CA.crt" RootCA]
as i know this will publish this root cert to AD, and it will dispatch this root cert to all domain joined clients root store
and also[certutil -addstore -f root "CA01_Fabrikam Root CA.crt"]
why need this command to add the root cert to root store again?
thank you
you don't need to call certutil -addstore it is a copy/paste from very-very old guides. It is only necessary on policy CAs in 3+ tier hierarchies.
Hello @Ming Cheung ,
Thank you for your reply.
Hope the information provided by Crypt32 is helpful to you.
If root cert is added to all domain joined clients root store after you run [certutil -f -dspublish "A:\CA01_Fabrikam Root CA.crt" RootCA], then you do not need to run command [certutil -addstore -f root "CA01_Fabrikam Root CA.crt"]
Should you have any question or concern, please feel free to let us know.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Thank you the explanation Crypt32
Thank you the explanation Daisy