Question on CAPolicy.inf file and post-installation script

I'm preparing a small PKI implementation with a single Enterprise Root CA on Windows 2008 R2 Enterprise.

The primary role of this CA is to provide certificates for about 20 laptops that will use the certificates for authentication to a wireless network.

I have prepared a CAPolicy.inf file and a post installation script (below).

Renewal period for the root cert should be 10 years, CRL publication every 2 days with Delta publication every 12 hours (details in scripts below).

*

I want to make sure the AIA and CRL url commands are correct.

Does this look correct?

AIA

1:%WINDIR%\System32\CertSrv\CertEnroll\%%1_%%3%%4.crt

This should publish the CA certificate to the local file system "certenroll".

*

2:ldap:///CN=%%7,CN=AIA,CN=Public Key Services,CN=Services,%%6%%11

This places the LDAP url in the AIA extension of issued certs.

*

I am not planning to use HTTP, hence its absence.

*

CRL

1:%WINDIR%\System32\CertSrv\CertEnroll\%%3%%8%%9.crl

This publishes the CRL to the local file system ("certenroll" subfolder).

*

10:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public Key Services,CN=Services,%%6%%10

Indicates CDP in AD DS and includes CDP url in issued certificates.

##########################################

Complete scripts

##########################################

1. CAPolicy.inf - %windir%


[Version]
Signature= "$Windows NT$"

[certsrv_server]
renewalkeylength=2048
RenewalValidityPeriodUnits=10
RenewalValidityPeriod=years

CRLPeriod = days
CRLPeriodUnits = 2
CRLDeltaPeriod = hours
CRLDeltaPeriodUnits = 12
LoadDefaultTemplates=0

2. Install Role

Follow steps in GUI here

3. Run post-install script

certutil -setreg CA\DSConfigDN CN=Configuration,DC=mydomain,DC=local

certutil -setreg CA\CRLPeriodUnits 2
certutil -setreg CA\CRLPeriod "days"
certutil -setreg CA\CRLDeltaPeriodUnits 12
certutil -setreg CA\CRLDeltaPeriod "hours"

certutil -setreg CA\ValidityPeriodUnits 10
certutil -setreg CA\ValidityPeriod "Years"

certutil –setreg CA\CACertPublicationURLs "1:%WINDIR%\System32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:ldap:///CN=%%7,CN=AIA,CN=Public Key Services,CN=Services,%%6%%11"

certutil –setreg CA\CRLPublicationURLs "1:%WINDIR%\System32\CertSrv\CertEnroll\%%3%%8%%9.crl\n10:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public Key Services,CN=Services,%%6%%10"

certutil -setreg CA\csp\DiscreteSignatureAlgorithm 1

certutil -setreg CA\AuditFilter 127

net stop certsvc & net start certsvc

certutil -crl

Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.