|
Posted by =?Utf-8?B?R3VubmE=?= on September 14, 2008, 6:58 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Many thanks Brian,
Could you answer a question rasied from the info below. I notied in a lot of
the sample capolicy.inf files for a Root CA that the CDP and AIA are set to
empty. Does this mean that the recomendation os not to have a CDP or AIA for
a Root CA or is it suggestting use the settings in the management console or
soemthign else?
Apollogies if the answer is in your book, im not that far yet.
"Brian Komar (MVP)" wrote:
> 1) You need to edit the %windir%\capolicy.inf file (this does a 20 year
> renewal)
> [Version]
> Signature="$Windows NT$"
>
> [certsrv_server]
> renewalkeylength=2048
> RenewalValidityPeriodUnits=20
> RenewalValidityPeriod=years
>
> CRLPeriod=weeks
> CRLPeriodUnits=26
> CRLDeltaPeriodUnits=0
> CRLDeltaPeriod=days
>
> [CRLDistributionPoint]
> Empty=True
>
> [AuthorityInformationAccess]
> Empty=True
>
> 2) Renew the root CA with a new key pair (there is a bug here in 2003, that
> does not recognize the capolicy.inf when you renew with a new key paior
> 3) REnew the root CA with the same key pair (this reads the capolicy.inf)
> Now good for 20 years.
>
> Brian
>
>
>
> > Appologies if this is covered elsewhere, I did google it first. I have a
> > Standalone Root CA whos certificate is only valid for 5 years. Is there a
> > way I can renew the Root certificate extending the validity period. I
> > know
> > setting the validity period etc on the CA seems to only affect
> > certificates
> > issued from the CA but not the CA's root certificate.
> >
> > Is this possible or am i looking at a rebuild? BTW I inherited this PKI
> > so
> > I had nothing to do with the planning, i know good planning is important.
>
| 
XML site map