Basics: Configuration file for the certification authority (capolicy.inf)

The capolicy.inf contains basic settings that can or should be specified before installing a certificate authority. In simple terms, it can be said that no certificate authority should be installed without it.

Create a capolicy.inf

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem and is available under a free license. It can downloaded via GitHub and can be used free of charge.

The file is not created automatically. Accordingly, it must be created before installing a certificate authority and, in case of migration or Recovery be transferred from the source system.

Version

Each capolicy.inf must start with the "version" extension with the following content.

[Version]
Signature= "$Windows NT$"

Strings

In the "Strings" section text variables can be defined, e.g. to convert object identifiers into an easily readable format.

[Strings]
szOID_NAME_CONSTRAINTS = "2.5.29.30"

Extensions

The "Extensions" section allows to define or modify extensions in the certificate request (and thus in the resulting certificate).

Example: Setting the "Name Constraints" extension of an issuing certification authority to allow DNS names in the Subject Alternative Name for "adcslabor.de" and to prevent the use of the Common Name.

[Extensions]
Critical = %szOID_NAME_CONSTRAINTS%
%szOID_NAME_CONSTRAINTS% = "{text}"
continue = "SubTree=Include&"
continue = "DNS = adcslabor.com&"
continue = "SubTree=Exclude&"
continue = "DIRECTORYNAME = CN=&"

[Strings]
szOID_NAME_CONSTRAINTS = "2.5.29.30"

According to RFC 5280, name constraints are ignored for certificates for root certificate authorities.

Example: Modify the "Key Usage" extension of a root certification authority. Remove "Digital Signature" and set the "Key Usage" extension as critical.

[Extensions]
2.5.29.15 = AwIBBg==
Critical = 2.5.29.15

Example: Removing the extensions "CA Version" and "Previous CA Certificate Hash" from a root certification authority certificate.

[Extensions.]
1.3.6.1.4.1.311.21.1= ; szOID_CERTSRV_CA_VERSION
1.3.6.1.4.1.311.21.2= ; szOID_CERTSRV_PREVIOUS_CERT_HASH

See also the following articles:

BasicConstraintsExtension

The BasicConstraintsExtension section allows to define the path length constraint of a certification authority certificate. This setting should not be applied to certificates of a root certification authority to maintain flexibility. Instead, the extension should be configured for certificates of issuing certification authorities.

[BasicConstraintsExtension]
PathLength=0
Critical=TRUE

Conforming CAs MUST include this extension in all CA certificates that contain public keys used to validate digital signatures on certificates and MUST mark the extension as critical in such certificates.

https://tools.ietf.org/html/rfc5280#section-4.2.1.9

See also article "Basics: Path Length Constraint„.

PolicyStatementExtension

[PolicyStatementExtension]
Policies=InternalPolicy

[InternalPolicy]
OID=1.3.6.1.4.1.99999.300.2.1.4.3.1
Notice=CPS is to be found at: http://pki.adcslabor.de/CPS/index.html
URL=http://pki.adcslabor.de/CPS/index.html

The Trusted Platform Module (TPM) Key Attestation can optionally be used with issuance guidelines. If it is planned to use this, it makes sense to include the issuance guidelines defined for this purpose in the Certification Authority certificate.

See also article "Configuring the Trusted Platform Module (TPM) Key Attestation„.

Alternatively, you can also include the AnyPolicy object identifier:

[PolicyStatementExtension]
Policies=AllIssuancePolicy

[AllIssuancePolicy]
OID=2.5.29.32.0

This procedure should be avoided, is according to RFC 5280 but explicitly allowed.

When a CA does not wish to limit the set of policies for certification paths that include this certificate, it MAY assert the special policy anyPolicy, with a value of { 2 5 29 32 0 }.

https://tools.ietf.org/html/rfc5280#section-4.2.1.14

Here is a list of common (general) exhibition guidelines.

OIDDescription
2.5.29.32.0All Issuance Policies (AnyPolicy)
1.3.6.1.4.1.311.21.32TPM Key AttestationUser Credentials: (Low Assurance)
1.3.6.1.4.1.311.21.31TPM Key AttestationEndorsement Certificate: (Medium Assurance)
1.3.6.1.4.1.311.21.30TPM Key AttestationEndorsement Key: (High Assurance)

EnhancedKeyUsageExtension

In the "EnhancedKeyUsageExtension" section, the "Enhanced Key Usage" extension of a certificate authority certificate can be edited in order to limit the range for issuing certificates.

Microsoft uses the term "Enhanced Key Usage", the correct name according to RFC 5280 is "Extended Key Usage"..

[EnhancedKeyUsageExtension.]
OID=1.3.6.1.5.5.7.3.1 ; Client Authentication
OID=1.3.6.1.5.5.7.3.2 ; Server Authentication
OID=1.3.6.1.5.5.7.3.9 ; OCSP Signing
OID=1.3.6.1.4.1.311.21.5 ; Private Key Archival
Critical=FALSE

Concerning restrictions of extended key usages in certification authority certificates, the RFC 5280 Unfortunately, this is not the case. The evaluation must therefore be carried out individually for each application.

The CA/Browser Forum (CAB) responsible for certificate processing in popular browsers. recommends for example, for SSL, the restriction of the extended key usages of a certification authority and advises marking the extension as non-critical.

Regarding smart card registration domain controllers ignore the restriction of extended key usages but in the default setting, for example, completely.

See also the following articles:

In addition to the provided Extended Key Usages, restrictions should always include "Private Key Archival" and "OCSP Signing". If a network device enrollment service (NDES) is connected to the certification authority, the "Certificate Request Agent" Extended Key Usage is also required.

Here is a list of common extended key usages:

OIDDescription
1.3.6.1.4.1.311.20.2.1Certificate Request Agent
1.3.6.1.5.5.7.3.2Client Authentication
1.3.6.1.5.5.7.3.3Code Signing
1.3.6.1.4.1.311.10.3.13Lifetime Signing
1.3.6.1.4.1.311.10.3.12Document Signing
1.3.6.1.4.1.311.80.1Document Encryption
1.3.6.1.4.1.311.10.3.4Encrypting file system
1.3.6.1.4.1.311.10.3.4.1File Recovery
1.3.6.1.5.5.7.3.5IP Security End System
1.3.6.1.5.5.8.2.2IP Security IKE Intermediate
1.3.6.1.5.5.7.3.6IP Security Tunnel Endpoint
1.3.6.1.5.5.7.3.7IP Security User
1.3.6.1.4.1.311.10.3.11Key Recovery
1.3.6.1.5.2.3.5KDC Authentication
1.3.6.1.4.1.311.10.3.1Microsoft Trust List Signing
1.3.6.1.4.1.311.10.3.10Qualified Subordination
1.3.6.1.4.1.311.10.3.9Root List Signer
1.3.6.1.5.5.7.3.4Secure E-mail
1.3.6.1.5.5.7.3.1Server Authentication
1.3.6.1.4.1.311.20.2.2Smartcard Logon
1.3.6.1.5.5.7.3.8Time Stamping according to RFC 3161
1.3.6.1.5.5.7.3.9OCSP Signing
1.3.6.1.4.1.311.54.1.2Remote Desktop Authentication
1.3.6.1.4.1.311.21.5Private Key Archival
2.16.840.1.113741.1.2.3Intel Advanced Management Technology (AMT) Provisioning

NameConstraintsExtension

Allows the definition of name restrictions for the certification authority certificate.

[NameConstraintsExtension]
Include = PermittedSubtrees
Critical = True

[PermittedSubtrees]
DirectoryName = CN=ADCS Lab Test Issuing CA 1-Xchg
DNS = .intra.adcslabor.com

See article "Basics: Name Constraints„.

Certsrv_Server

In this section, settings for the certification authority process can be defined.

ParameterDescription
RenewalKeyLengthApplied only when renewing the certificate authority certificate with a new key pair. Indicates the key size to be used in this case.
RenewalValidityPeriodAffects only root Certification Authorities.
Used only when renewing the certification authority certificate of a root certification authority (this authority itself determines its own certificate validity).
RenewalValidityPeriodUnitsAffects only root Certification Authorities.
Used only when renewing the certification authority certificate of a root certification authority (this authority itself determines its own certificate validity).
AlternatesignatureAlgorithmAffects only root Certification Authorities.
If the value is set to "0", the PKCS#1 padding scheme version 1.5 is used.
If the value is set to "1", the PKCS#1 padding scheme version 2.1 is used.
ForceUTF8Affects only root Certification Authorities.
Forces the encoding of the certificate authority's "Common Name" in UTF-8 (Otherwise only if it contains special characters). May cause compatibility problems and should therefore not be used if possible.
LoadDefaultTemplatesAffects only Active Directory-integrated certificate authorities (Enterprise CA).
If the value is set to "1" or not defined, a set of default certificate templates is automatically published on the certification authority - therefore the value should be defined and set to "0" to prevent this.

See also the following articles:

Example of typical settings for a root certification authority:

[Certsrv_Server]
RenewalKeyLength=4096
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=8
AlternateSignatureAlgorithm=0
ForceUTF8=1

Example of typical settings of an issuing certification authority:

[Certsrv_Server]
RenewalKeyLength=4096
LoadDefaultTemplates=0
AlternateSignatureAlgorithm=0

In the last "official" book on Microsoft Active Directory Certificate Services, "Microsoft Windows Server 2008 PKI and Certificate Security" by Brian Komar incorrectly refers to DiscreteSignatureAlgorithm, and the values were exactly reversed. At the time the book went to press, this was also correct, but with the transition from the beta version of Windows Server 2008 to the final version, the directive was renamed to "AlternateSignatureAlgorithm", including the reverse functionality. Thus, PKCS#1 was still used as the default in version 1.5 if the directive was not explicitly configured.

Save the file

The file must be saved in the C:\Windows directory with ANSI encoding before configuring the certificate authority role.

The designation "ANSI" corresponds to the character code Windows-1252 (Latin-1, Western European) in the Windows ecosystem.

Legacy and unusual settings

For the sake of completeness, here are some settings that are no longer relevant in practice.

CRLDistributionPoint and AuthorityInformationAccess

In this section, an extension for revocation list distribution points or for access to job information in the certificate request can be entered.

The section should no longer be used. Sections in capolicy.inf (with the exception of the CertSrv_Server section) are written to the certificate request for the certification authority and are overwritten by the parent certification authority anyway. So the paths are set in the configuration of the parent certificate authority. If you want to customize the revocation list distribution points or for access to job information for the certification authority, you do this via the registration of the installed certification authority.

[CRLDistributionPoint]
URL=http://pki.adcslabor.de/CertData/MeineCrl.crl

[AuthorityInformationAccess]
URL=http://pki.adcslabor.de/CertData/MeinCaZertifikat.crt

Also, the "Empty=true" directive in these sections is no longer required for root CA certificates since Windows Server 2008 and newer.

See also article "Token for CDP and AIA configuration of a certification authority„.

Settings that can also be set via the registration of the certification authority

The following settings can be set in the CertSrv_Server section. They are optional and identical to the value of the same name in the certification authority registration. Thus, it makes sense to set them there as well after a certification authority installation.

The "Unit" values are given in the following format: "Minutes", "Hours", "Days", "Weeks", "Months", "Years".

ParameterDescription
ClockSkewMinutesDescribes the difference (plus/minus) of issued certificates to the system time in minutes to compensate for any time differences.
CRLPeriodDescribes the units for the validity of the blacklists.
CRLPeriodUnitsDescribes the numerical value for the associated unit.
CRLOverlapPeriodDescribes the units for the overlap period of the revocation lists.
CRLOverlapUnitsDescribes the numerical value for the associated unit.
CRLDeltaPeriodUnitsDescribes the units for the validity of the delta revocation lists.
CRLDeltaPeriodDescribes the numerical value for the associated unit.
CRLDeltaOverlapUnitsDescribes the units for the overlap period of the delta revocation lists.
CRLDeltaOverlapPeriodDescribes the numerical value for the associated unit.

Unusual other settings

ParameterDescription
EnableKeyCountingIf this option is enabled (value set to "1"), a counter is incremented each time the private key is used. However, this function must be supported by the corresponding key storage provider.

Related links:

External sources

en_USEnglish