CAPolicy.inf and Install-AdcsCertificationAuthority

Question

I am just working on creating 2-tier PKI and wonder why so many tutorials create such capolicy.inf

[Version]
Signature="$Windows NT$"
[PolicyStatementExtension]
Policies=InternalPolicy
[InternalPolicy]
OID= 1.2.3.4.1455.67.89.5
URL=http://pki.bedrock.domain/pki/cps.html
[Certsrv_Server]
RenewalKeyLength=4096
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=20
CRLPeriod=Years
CRLPeriodUnits=20
CRLDeltaPeriod=Days
CRLDeltaPeriodUnits=0
LoadDefaultTemplates=0

and later runs such cmdlet

Install-AdcsCertificationAuthority -CAType StandaloneRootCA -CACommonName "Bedrock Root Certificate Authority" -KeyLength 4096 -HashAlgorithm SHA256 -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" -ValidityPeriod Years -ValidityPeriodUnits 20 -Force

I do not know much about CA, but seems we are doubling the work as here:

CRLPeriod=Years
CRLPeriodUnits=20

And here

-ValidityPeriod Years -ValidityPeriodUnits 20

we configure the same stuff.

Example: https://timothygruber.com/pki/deploy-a-pki-on-windows-server-2016-part-3/

And it is not only this tutorial but many of them. There must be something I do not understand, appreciate if someone could explain.

score 0 · Answer 1 · answered Aug 21 '20 at 12:30

0

I think I found the answer, these are not the same:

https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/prepare-the-capolicy-inf-file

answered Aug 21 '20 at 12:30

Pawe zaicnupagadi Jarosz

1
2

CAPolicy.inf and Install-AdcsCertificationAuthority

1 Answers1