Apply CA Policy

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

If you intend to implement your certificate practice statement, you need to create and format a issuer policy statement file, and place this file in the %windir% path of the root or subordinate CA before the CA is installed. This file, named CAPolicy.inf, serves two purposes:

  • It provides basic information about the root CA, such as distribution points for the self-signed certificate, and the object identifier (also known as OID) information.

  • It includes information for certificate renewal, such as the certificate lifetime of the self-signed certificate.

CAPolicy.inf is processed for root CA and subordinate CA installations and renewals. The CDP and AIA extensions in CAPolicy.inf are used for root CA installations and renewals only. Subordinate CA certificates inherit the CDP and AIA extensions of the issuing parent CA.

The CPS statement extension is applied when root CA certificates and subordinate CA certificates are requested. The CAPolicy.inf mechanism can only be used to include a CPS statement extension in a CA certificate and not an end-client certificate.


  • When CAPolicy.inf is used to install a CA, it must also be used for renewal; otherwise, the settings that have been defined might not be retained when the CA keys are renewed.

For more information about creating and using CAPolicy.inf files, see "Installing and configuring a certification authority" in Help and Support Center for Windows ServerĀ 2003.