Hi There, I’m working on implementing two tier PKI and was wondering If I need to use the CAPolicy.inf. In the Microsoft book they are using it but on Technet documentation they are not using it. Can someone please recommend me which method to use? The deployment will have 1 X offline standard CA and two issuing Enterprise CA running windows 2008 Servers. Thanks, SimonMCSA, MCSE, MCITP:SA, MCITP:EA, MCTS:Exchange Server 2010 Config, CCNA

If you wish to define: - Renewal key length for any CA - Renewal validity period for any CA - Initial AIA and CDP paths for a root CA - Key Usage criticality and settings for any CA - Whether to install default certificate templates on an enterprise CA You must implement a capolicy.inf I have never deployed a CA *without* using a capolicy.inf HTH, Brian

Forgot the most important one, if you want to declare certificate policies and their related attributes (OID/URL), you must use a capolicy.inf Brian

Thanks Brian, I'm reading your book "Windows Server 2008 PKI and Certificate Security" and you have done a great job with it. Thanks, Simon MCSA, MCSE, MCITP:SA, MCITP:EA, MCTS:Exchange Server 2010 Config, CCNA