Is capolicy.inf processed in full (or part) during server install, renewal, and issuing new certs

Question

When installing a Windows CA, capol.inf confuses me.

It seems that capol.inf does set defaults for the CA that can otherwise be done using certutil's registry functions (or regedit).

It also appears to have a role when renewing a CA cert.

Finally, it seems to also set defaults for newly issued child certificates, but not used after installation for new child certs

Can anyone clarify when this file is used, and if there are some sections that are used during some tasks, and not others (installation, renewal of CA, issuing child certs)?

score 2 · Accepted Answer · answered May 19 '15 at 21:24

CAPolicy.inf is used to specify settings that affect CA certificate itself and cannot be configured elsewhere (nor by certutil or MMC GUI). This includes (but not limits to) CA certificate renewal validity, key length, alternate signature algorithm, certificate extension configuration.

This file is processed only during CA server installation and CA certificate renewal (regardless, with new key pair or when reusing existing key pair). It is not processed during the rest CA activities.

Is capolicy.inf processed in full (or part) during server install, renewal, and issuing new certs

1 Answers1