This is my part 3 for AD Certificate Services Installation. I have asked questions about CAPolicy.inf and post installation script for my offline root CA in: http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/4256a27f-29ee-42a1-b687-ad3c21e04c0c?prof=required I plan to build offline root CA and online issuing CA. Here is my CAPolicy.inf for the online issuing CA: **************************************************************** [Version] Signature = "$Windows NT$" [certsrv_server] renewalkeylength=2048 RenewalValidityPeriodUnits=10 RenewalValidityPeriod=years CRLPeriod = days CRLPeriodUnits = 3 CRLOverlapPeriod = hours CRLOverlapUnits = 4 CRLDeltaPeriod = hours CRLDeltaPeriodUnits = 12 AlternateSignatureAlgorithm = 1 LoadDefaultTemplates = 0 **************************************************************** Here is my post installation script for the online issuing CA: **************************************************************** ::Declare Configuration NC certutil -setreg CA\DSConfigDN CN=Configuration,DC=MyRootDomain,DC=com ::Define CRL Publication Intervals certutil -setreg CA\CRLPeriodUnits 3 certutil -setreg CA\CRLPeriod "Days" certutil -setreg CA\CRLOverlapUnits 4 certutil -setreg CA\CRLOverlapPeriod "Hours" certutil -setreg CA\CRLDeltaPeriodUnits 12 certutil -setreg CA\CRLDeltaPeriod "Hours" ::Apply the required CDP Extension URLs certutil -setreg CA\CRLPublicationURLs "65:%windir%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n6:http://%%1/CertEnroll/%%3%%8%%9.crl\n6:http://cert.MyCompanyName.com/CertData/%%3%%8%%9.crl\n79:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public Key Services,CN=Services,%%6%%10" ::Apply the required AIA Extension URLs certutil -setreg CA\CACertPublicationURLs "1:%windir%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:http://%%1/CertEnroll/%%1_%%3%%4.crt\n2:http://cert.MyCompanyName.com/CertData/%%1_%%3%%4.crt\n3:ldap:///CN=%%7,CN=AIA,CN=Public Key Services,CN=Services,%%6%%11" ::Enable all auditing events for the Fabrikam Corporate Issuing CA certutil -setreg CA\AuditFilter 127 :: Enable Alternate signatures in issued certificates Certutil –setreg CA\csp\AlternateSignatureAlgorithm 1 ::Set Maximum Validity Period for Issued Certificates certutil -setreg CA\ValidityPeriodUnits 5 certutil -setreg CA\ValidityPeriod "Years" ::Restart Certificate Services net stop certsvc & net start certsvc sleep 5 certutil –crl **************************************************************** Could all experts in the forum examine those two files? Again, I have modified from examples inBrian Komar's book. In particular, please verify two commands: "certutil -setreg CA\CRLPublicationURLs ..." and "certutil -setreg CA\CRLPublicationURLs ...". My understanding is that both commands will setup four entries for CDP and AIA: %windir%\system32\CertSrv\CertEnroll\... http://My_FQDN_for_online_issuingCA_server/.. http://cert.MyCompanyName.com/CertData/... ldap:///...,CN=Public Key Services,CN=Services,... I also noticed that both CAPolicy.inf and post installation script to configure same settings Of course, I willl perform pre-installation configuration based on Brian's book page 132 to 134: Installing certificates from root CA locally at the issuing CA Publishing certificates and CRLs to AD DS Copying Certificates and CRLs to HTTP Publication Points And then install ADCS with Certification Authority, Certification Authority Web Enrolment, and Online Responder. Other than running post installation script for the above online issuing CA, do I do anything else? Thanks in advance. SJJ123

The only one correction:if your certificates will be used outside of your domain/forest (for example from internet) I would advice to set external HTTP url for CDP and AIA in first position.> RenewalValidityPeriodUnits=10> RenewalValidityPeriod=yearsthis is necessary for Root CAs. In other cases certificate validity period is determined be parent CA only.http://www.sysadmins.lv

Hi Vadims, Thank you very much for your reply. At the moment, our certificates will be used for internal purpose. My current plan is to point http://cert.MyCompanyName.com/CertData/... to the online issuing CA server via DNS as start and then it could be to other web server or web cluster. I will take your advice to put the potential external HTPP url http://cert.MyCompanyName.com/CertData/... in first position. The two lines are based on Brian's book (page 134) for online issuing CA. As recommended from you and other experts, both my offline root CA and online issuing CA will have 10 years of validity period. Do I need to take those two lines off? Kind regards, SJJ123

these settings affect to Root CA renewal only. For Intermediate CAs this is not relevant.http://www.sysadmins.lv

Actually, Vadims you are incorrect.You could request a shorter validity period than the validity period defined at the root CA.For example, at the root, you could set:ValidityPeriod: YearsValidityPeriodUnits: 10But could renew the issuing CA with five year validity period by setting RenewalValidityPeriodUnits=5> RenewalValidityPeriod=yearsBrian

oops. And how it will look in request file? Also, how this setting will affect to online CAs (where templates are used)?http://www.sysadmins.lv

If you are requesting a subordinate CA certificate from an enterprise CA, then the validity period will be the least of:1) The ValidityPeriodUnits on the issuing CA2) The validity period of the Subordinate CA certificate3) The RenewalValidityPeriodUnits (or the validity period requested in the request)Brian

does this means that template setting is not used?http://www.sysadmins.lv