Yes, you can remove CRLDistributionPoint and AuthorityInformationAccess sections from CAPolicy.inf file.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

RenewalValidityPeriod and RenewalValidityPeriodUnits establish the lifetime of the new root CA certificate when renewing the old root CA certificate. It only applies to a root CA. The certificate lifetime of a subordinate CA is determined by its superior. RenewalValidityPeriod can have the following values: Hours, Days, Weeks, Months, and Years. Important to note that the initial lifetime of the Root CA cert is determined by the values entered when you run the wizard. Suitable values can only really be determined by your organisation & security policy, but typically a root ca would have a certificate lifetime of 10 or 20 years. One approach might be to establish what is the longest validity you'll require for end entity certificates, double it for the issuing ca's, and then double it again for root ca (in two tier). With this approach you would routinely renew each ca certificate when half of it's lifetime was reached - this is because a ca can't issue certificates with an expiry date after that of the ca certificaste itself. You also need to consider CRL publication intervals at each tier to get a balance between security & amount of routine adminstration required. Algorithm & Key length can have a bearing on how long you want certificates to be valid, because they effectiveley determine how long it might take an attacker crack, ie the stronger the cryptography, the longer you might be prepared to have certificates valid for.Douks

In your capolicy.inf file, what would be good figures for these two keys? Let's say you have the Root CA offline for months on end. Also, can we simply eliminate sections about AIA and CDP since the W2K8 (in this case) Root CA does not read them anyway (hence the uselessness of the Empty = true key-value combination with this OS).Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

Yes, you can remove CRLDistributionPoint and AuthorityInformationAccess sections from CAPolicy.inf file.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

RenewalValidityPeriod and RenewalValidityPeriodUnits establish the lifetime of the new root CA certificate when renewing the old root CA certificate. It only applies to a root CA. The certificate lifetime of a subordinate CA is determined by its superior. RenewalValidityPeriod can have the following values: Hours, Days, Weeks, Months, and Years. Important to note that the initial lifetime of the Root CA cert is determined by the values entered when you run the wizard. Suitable values can only really be determined by your organisation & security policy, but typically a root ca would have a certificate lifetime of 10 or 20 years. One approach might be to establish what is the longest validity you'll require for end entity certificates, double it for the issuing ca's, and then double it again for root ca (in two tier). With this approach you would routinely renew each ca certificate when half of it's lifetime was reached - this is because a ca can't issue certificates with an expiry date after that of the ca certificaste itself. You also need to consider CRL publication intervals at each tier to get a balance between security & amount of routine adminstration required. Algorithm & Key length can have a bearing on how long you want certificates to be valid, because they effectiveley determine how long it might take an attacker crack, ie the stronger the cryptography, the longer you might be prepared to have certificates valid for.Douks