CAPolicy.inf 語法CAPolicy.inf Syntax

適用於:Windows Server(以每年次管道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

CAPolicy.inf 是定義擴充功能、限制和其他設定可套用到根憑證及發行根 CA 所有憑證設定檔。The CAPolicy.inf is a configuration file that defines the extensions, constraints, and other configuration settings that are applied to a root CA certificate and all certificates issued by the root CA. 必須先根 CA 開始安裝程序的主機伺服器上安裝 CAPolicy.inf 檔案。The CAPolicy.inf file must be installed on a host server before the setup routine for the root CA begins. 修改 ca 安全性限制時,必須更新根憑證,並更新的 CAPolicy.inf 檔案必須先安裝在伺服器上開始更新程序。When the security restrictions on a root CA are to be modified, the root certificate must be renewed and an updated CAPolicy.inf file must be installed on the server before the renewal process begins.

CAPolicy.inf 是:The CAPolicy.inf is:

  • 建立和系統管理員所定義的以手動方式Created and defined manually by an administrator

  • 利用期間建立根和附屬 CA 憑證Utilized during the creation of root and subordinate CA certificates

  • 在您登入並發行憑證 (不能要求 CA) 簽章 CA 定義Defined on the signing CA where you sign and issue the certificate (not the CA where the request is granted)

當您建立您的 CAPolicy.inf 檔案之後時,您必須複製到隱藏資料夾安裝 ADC 或 CA 憑證之前 server 的資料夾。Once you have created your CAPolicy.inf file, you must copy it into the %systemroot% folder of your server before you install ADCS or renew the CA certificate.

CAPolicy.inf 可讓您可以指定並設定各種不同的 CA 屬性和選項。The CAPolicy.inf makes it possible to specify and configure a wide variety of CA attributes and options. 下一節描述所有選項,讓您建立.inf 檔案量身打造,以您的需求。The following section describes all the options for you to create an .inf file tailored to your specific needs.

CAPolicy.inf 檔案結構CAPolicy.inf File Structure

下列條款用來描述.inf 檔案結構:The following terms are used to describe the .inf file structure:

  • 區段–是涵蓋邏輯按鍵群組的檔案使用的區域。Section – is an area of the file that covers a logical group of keys. 一節中.inf 檔案的名稱都會出現在 [括號。Section names in .inf files are identified by appearing in brackets. 區段許多,但並非全部,用來設定憑證擴充功能。Many, but not all, sections are used to configure certificate extensions.

  • 按鍵–名稱的項目,會顯示左邊等號。Key – is the name of an entry and appears to the left of the equal sign.

  • –參數,號右邊會出現。Value – is the parameter and appears to the right of the equal sign.

範例所示,在[版本]區段,簽章是將金鑰,和」\ $ Windows NT \ $]是值。In the example below, [Version] is the section, Signature is the key, and "$Windows NT$" is the value.

範例:Example:

[Version]                     #section
Signature="$Windows NT$"      #key=value

版本Version

將檔案辨識為.inf 檔案。Identifies the file as an .inf file. 版本只需要一節和必須 CAPolicy.inf 檔案的開頭。Version is the only required section and must be at the beginning of your CAPolicy.inf file.

PolicyStatementExtensionPolicyStatementExtension

列出定義組織的原則與是否有選用或管轄。Lists the policies that have been defined by the organization, and whether they are optional or mandatory. 多個原則是以逗號分隔。Multiple policies are separated by commas. 名稱或就自訂應用程式,檢查有這些原則的特定部署,環境中有的意義。The names have meaning in the context of a specific deployment, or in relation to custom applications that check for the presence of these policies.

針對每個定義原則,必須要有一節,以定義特定原則設定。For each policy defined, there must be a section that defines the settings for that particular policy. 針對每個原則,您必須向使用者定義物件識別碼 (OID) 和文字您想要顯示為政策或 URL 指標原則聲明。For each policy, you need to provide a user-defined object identifier (OID) and either the text you want displayed as the policy statement or a URL pointer to the policy statement. URL 可以形式 HTTP、FTP 或 LDAP URL。The URL can be in the form of an HTTP, FTP, or LDAP URL.

如果您要原則聲明中已描述文字,然後 CAPolicy.inf 的下一步三行想看起來像:If you are going to have descriptive text in the policy statement, then the next three lines of the CAPolicy.inf would look like:

[InternalPolicy]
OID=1.1.1.1.1.1.1
Notice=”Legal policy statement text”

如果您要使用的 URL 放 CA 原則聲明,然後接下來三行想改為看起來像:If you are going to use a URL to host the CA policy statement, then next three lines would instead look like:

[InternalPolicy]
OID=1.1.1.1.1.1.2
URL=http://pki.wingtiptoys.com/policies/legalpolicy.asp

此外︰In addition:

  • 多個 URL 與通知按鍵的支援。Multiple URL and Notice keys are supported.

  • 通知和 URL 相同的原則一節中按鍵的支援。Notice and URL keys in the same policy section are supported.

  • 必須以報價住空間 Url 或文字空間。URLs with spaces or text with spaces must be surrounded by quotes. 這適用於URL鍵,無論它出現的區段。This is true for the URL key, regardless of the section in which it appears.

多個通知和 Url 原則一節中的範例想看起來像:An example of multiple notices and URLs in a policy section would look like:

[InternalPolicy]
OID=1.1.1.1.1.1.1
URL=http://pki.wingtiptoys.com/policies/legalpolicy.asp
URL=ftp://ftp.wingtiptoys.com/pki/policies/legalpolicy.asp
Notice=”Legal policy statement text”

CRLDistributionPointCRLDistributionPoint

您可以指定 CRL Distribution 點 (Cdp) 中 CAPolicy.inf 根憑證。You can specify CRL Distribution Points (CDPs) for a root CA certificate in the CAPolicy.inf. CA 安裝完成後,您可以設定 CA 包含每個發行憑證 CDP Url。After the CA has been installed you can configure the CDP URLs that the CA includes in each certificate issued. 根憑證本身」包含 CAPolicy.inf 檔案的此一節中所指定的 Url。The URLs specified in this section of the CAPolicy.inf file are included in the root CA certificate itself.

[CRLDistributionPoint]
URL=http://pki.wingtiptoys.com/cdp/WingtipToysRootCA.crl

本章節一些其他資訊:Some additional information about this section:

  • 多個 Url 的支援。Multiple URLs are supported.

  • 支援 HTTP、FTP 和 LDAP Url。HTTP, FTP, and LDAP URLs are supported. 不支援 HTTPS Url。HTTPS URLs are not supported.

  • 如果您的設定 ca 或更新根憑證,才會使用此一節。This section is only used if you are setting up a root CA or renewing the root CA certificate. CA 問題附屬 CA 憑證,來判定附屬 CA CDP 擴充功能。Subordinate CA CDP extensions are determined by the CA which issues the subordinate CA’s certificate.

  • 必須以報價住空間 Url。URLs with spaces must be surrounded by quotes.

  • 如果不 Url 指定–也就是,如果[CRLDistributionPoint]區段在於檔案,但是空的–從 ca 憑證省略 CRL Distribution 點擴充功能。If no URLs are specified – that is, if the [CRLDistributionPoint] section exists in the file but is empty – the CRL Distribution Point extension is omitted from the root CA certificate. 設定 ca 時,這是通常較佳。This is usually preferable when setting up a root CA. Windows 不會執行撤銷 CDP 擴充功能非必要中根憑證檢查根憑證、上。Windows does not perform revocation checking on a root CA certificate, so the CDP extension is superfluous in a root CA certificate.

AuthorityInformationAccessAuthorityInformationAccess

您可以指定 CAPolicy.inf 的根憑證授權單位資訊的存取點。You can specify the authority information access points in the CAPolicy.inf for the root CA certificate.

[AuthorityInformationAccess]
URL=http://pki.wingtiptoys.com/Public/myCA.crt

一些額外的授權單位資訊存取一節注意事項︰Some additional notes on the authority information access section:

  • 多個 Url 的支援。Multiple URLs are supported.

  • 支援 HTTP、FTP、LDAP 和檔案的 Url。HTTP, FTP, LDAP and FILE URLs are supported. 不支援 HTTPS Url。HTTPS URLs are not supported.

  • 如果您的設定根或更新根憑證,才會使用此一節。This section is only used if you are setting up a root CA, or renewing the root CA certificate. CA 發出附屬 CA 憑證,來判定附屬 CA AIA 擴充功能。Subordinate CA AIA extensions are determined by the CA which issued the subordinate CA’s certificate.

  • 必須以報價住空間 Url。URLs with spaces must be surrounded by quotes.

  • 如果不 Url 指定–也就是,如果[AuthorityInformationAccess]區段在於檔案,但是空的–從 ca 憑證省略 CRL Distribution 點擴充功能。If no URLs are specified – that is, if the [AuthorityInformationAccess] section exists in the file but is empty – the CRL Distribution Point extension is omitted from the root CA certificate. 再試一次,這是在根憑證的偏好的設定為根憑證授權單位參考連結到其憑證會需要比未授權。Again, this would be the preferred setting in the case of a root CA certificate as there is no authority higher than a root CA that would need to be referenced by a link to its certificate.

certsrv_Servercertsrv_Server

另一個選擇性 CAPolicy.inf 區段是 [certsrv_server],用來指定憑證授權單位是續約金鑰長度、續約,有效期和憑證撤銷清單 (CRL) 有效期正在更新或安裝。Another optional section of the CAPolicy.inf is [certsrv_server], which is used to specify renewal key length, the renewal validity period, and the certificate revocation list (CRL) validity period for a CA that is being renewed or installed. 都需要本節中的按鍵。None of the keys in this section are required. 預設值是滿足大部分需求,且可以只是要省略 CAPolicy.inf 檔案從有許多這些設定。Many of these settings have default values that are sufficient for most needs and can simply be omitted from the CAPolicy.inf file. 或者,許多這些設定可以變更之後已安裝 CA。Alternatively, many of these settings can be changed after the CA has been installed.

範例看起來像:An example would look like:

[certsrv_server]
RenewalKeyLength=2048
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=5
CRLPeriod=Days
CRLPeriodUnits=2
CRLDeltaPeriod=Hours
CRLDeltaPeriodUnits=4
ClockSkewMinutes=20
LoadDefaultTemplates=True
AlternateSignatureAlgorithm=0
ForceUTF8=0
EnableKeyCounting=0

RenewalKeyLength設定金鑰大小只續約。RenewalKeyLength sets the key size for renewal only. 這只用當新的金鑰期間 CA 憑證續約。This is only used when a new key pair is generated during CA certificate renewal. 安裝 CA 設定金鑰初始 CA 憑證的大小。The key size for the initial CA certificate is set when the CA is installed.

當更新憑證,以新的金鑰,金鑰長度可以是提高或降低。When renewing a CA certificate with a new key pair, the key length can be either increased or decreased. 例如,如果您已設定根金鑰 CA 大小 4096 位元組或更高版本,並,然後找出您有 JAVA 應用程式或網路的裝置,可以僅限支援的 2048 位元組金鑰大小。For example, if you have set a root CA key size of 4096 bytes or higher, and then discover that you have Java apps or network devices that can only support key sizes of 2048 bytes. 無論您提高或降低大小,您必須重新發出所有這個 CA 憑證的憑證。Whether you increase or decrease the size, you must reissue all the certificates issued by that CA.

RenewalValidityPeriodRenewalValidityPeriodUnits建立的新根 CA 憑證期間時更新舊 CA 根憑證。RenewalValidityPeriod and RenewalValidityPeriodUnits establish the lifetime of the new root CA certificate when renewing the old root CA certificate. 它只適用於 ca。It only applies to a root CA. 附屬 CA 憑證期間是由其上層判斷。The certificate lifetime of a subordinate CA is determined by its superior. RenewalValidityPeriod 可以有下列值:小時、日期、星期、月份和年。RenewalValidityPeriod can have the following values: Hours, Days, Weeks, Months, and Years.

CRLPeriodCRLPeriodUnits的基本 CRL 建立有效期。CRLPeriod and CRLPeriodUnits establish the validity period for the base CRL. CRLPeriod可以有下列值:小時、日期、星期、月份和年。CRLPeriod can have the following values: Hours, Days, Weeks, Months, and Years.

CRLDeltaPeriodCRLDeltaPeriodUnits delta CRL 有效期進行通訊。CRLDeltaPeriod and CRLDeltaPeriodUnits establish the validity period of the delta CRL. CRLDeltaPeriod可以有下列值:小時、日期、星期、月份和年。CRLDeltaPeriod can have the following values: Hours, Days, Weeks, Months, and Years.

這些設定可以設定 CA 安裝之後:Each of these settings can be configured after the CA has been installed:

Certutil -setreg CACRLPeriod Weeks
Certutil -setreg CACRLPeriodUnits 1
Certutil -setreg CACRLDeltaPeriod Days
Certutil -setreg CACRLDeltaPeriodUnits 1

請記得重新開機 Active Directory 憑證服務所做的變更才會生效。Remember to restart Active Directory Certificate Services for any changes to take effect.

LoadDefaultTemplates僅適用於企業 CA 安裝期間。LoadDefaultTemplates only applies during the install of an Enterprise CA. 此設定,請為 True,或 \ [false](1 或是 0),是否已使用的預設範本 CA 規定。This setting, either True or False (or 1 or 0), dictates if the CA is configured with any of the default templates.

CA 預設安裝時,預設憑證範本子集會新增到憑證授權單位嵌入式管理單元 [憑證範本 ] 資料夾。In a default installation of the CA, a subset of the default certificate templates is added to the Certificate Templates folder in the Certification Authority snap-in. 這表示,只要 AD CS 服務開始安裝角色之後使用者或電腦的權限不足可以立即註冊憑證。This means that as soon as the AD CS service starts after the role has been installed a user or computer with sufficient permissions can immediately enroll for a certificate.

您可能不希望發行任何憑證已安裝 CA 之後,您可以使用 LoadDefaultTemplates 設定以防止預設範本新增至企業版 CA。You may not want to issue any certificates immediately after a CA has been installed, so you can use the LoadDefaultTemplates setting to prevent the default templates from being added to the Enterprise CA. 如果不有任何範本 CA 上設定就可以發行不到憑證。If there are no templates configured on the CA then it can issue no certificates.

AlternateSignatureAlgorithm設定 CA 憑證和憑證要求支援 PKCS\ #1 V2.1 簽章格式。AlternateSignatureAlgorithm configures the CA to support the PKCS#1 V2.1 signature format for both the CA certificate and certificate requests. 設定為上根 1 時 CA 憑證將會包含 PKCS\ #1 V2.1 簽章格式。When set to 1 on a root CA the CA certificate will include the PKCS#1 V2.1 signature format. 設定從時 CA、附屬 CA 會建立憑證要求,包含格式 PKCS\ #1 V2.1 簽章。When set on a subordinate CA, the subordinate CA will create a certificate request that includes the PKCS#1 V2.1 signature format.

ForceUTF8變更預設的主題和發行者中相關分辨名稱 (Rdn) 編碼分辨 utf-8 的名稱。ForceUTF8 changes the default encoding of relative distinguished names (RDNs) in Subject and Issuer distinguished names to UTF-8. 只支援 utf-8,例如這些定義影響 Directory 字串類型 RFC,來為這些 Rdn。Only those RDNs that support UTF-8, such as those that are defined as Directory String types by an RFC, are affected. 例如,RDN 的網域元件 (DC) 支援編碼為 IA5 或 utf-8,Country RDN (C) 僅支援做為可列印字串編碼時。For example, the RDN for Domain Component (DC) supports encoding as either IA5 or UTF-8, while the Country RDN (C) only supports encoding as a Printable String. ForceUTF8 指示詞因此會影響俠 RDN,但不是會影響 C RDN。The ForceUTF8 directive will therefore affect a DC RDN but will not affect a C RDN.

EnableKeyCounting設定每次使用 CA 簽署金鑰,請增加計數器 CA。EnableKeyCounting configures the CA to increment a counter every time the CA’s signing key is used. 請不要此設定除非您有支援享有金鑰的相關聯的密碼編譯服務提供者 (CSP) 和硬體安全性模組」(HSM)。Do not enable this setting unless you have a Hardware Security Module (HSM) and associated cryptographic service provider (CSP) that supports key counting. 非 Microsoft 強 CSP 也 Microsoft 軟體的金鑰儲存提供者 (KSP) 支援按鍵計算。Neither the Microsoft Strong CSP nor the Microsoft Software Key Storage Provider (KSP) support key counting.

建立 CAPolicy.inf 檔案Create the CAPolicy.inf file

您安裝 AD CS 之前,您設定 CAPolicy.inf 檔案的特定設定為您的部署。Before you install AD CS, you configure the CAPolicy.inf file with specific settings for your deployment.

必要條件:您必須是系統管理員群組成員。Prerequisite: You must be a member of the Administrators group.

  1. 在您的計劃安裝 AD CS,開放的 Windows PowerShell,電腦上輸入「記事本」c:.inf按下 ENTER。On the computer where you are planning to install AD CS, open Windows PowerShell, type notepad c:.inf and press ENTER.

  2. 出現提示時,以建立新的檔案,請按一下[是]When prompted to create a new file, click Yes.

  3. 輸入與檔案:Enter the following as the contents of the file:

    [Version]  
    Signature="$Windows NT$"  
    [PolicyStatementExtension]  
    Policies=InternalPolicy  
    [InternalPolicy]  
    OID=1.2.3.4.1455.67.89.5  
    Notice="Legal Policy Statement"  
    URL=http://pki.corp.contoso.com/pki/cps.txt  
    [Certsrv_Server]  
    RenewalKeyLength=2048  
    RenewalValidityPeriod=Years  
    RenewalValidityPeriodUnits=5  
    CRLPeriod=weeks  
    CRLPeriodUnits=1  
    LoadDefaultTemplates=0  
    AlternateSignatureAlgorithm=1  
    [CRLDistributionPoint]  
    [AuthorityInformationAccess]
    
  4. 按一下檔案,然後按另存新檔Click File, and then click Save As.

  5. 瀏覽至 %systemroot%資料夾。Navigate to the %systemroot% folder.

  6. 請確定下列動作:Ensure the following:

    • 檔案名稱設定為 [ CAPolicy.infFile name is set to CAPolicy.inf

    • 另存新檔輸入設定為 [的所有檔案Save as type is set to All Files

    • 編碼]ANSIEncoding is ANSI

  7. 按一下儲存Click Save.

  8. 當您接到覆寫的檔案時,請按一下[是]When you are prompted to overwrite the file, click Yes.

    另存新檔 CAPolicy.inf 檔案的位置

    警告

    務必儲存 CAPolicy.inf inf 副檔名。Be sure to save the CAPolicy.inf with the inf extension. 如果您不專門輸入.inf結尾的檔案名稱及選取的選項所述,檔案將會被儲存成文字檔案和 CA 安裝時將無法使用。If you do not specifically type .inf at the end of the file name and select the options as described, the file will be saved as a text file and will not be used during CA installation.

  9. 關閉「記事本」。Close Notepad.

重要

在 CAPolicy.inf,您可以看到指定 URL 行http://pki.corp.contoso.com/pki/cps.txt。In the CAPolicy.inf, you can see there is a line specifying the URL http://pki.corp.contoso.com/pki/cps.txt. 只顯示的方式,您可以指定的位置 (CPS) 憑證做法聲明,例如 CAPolicy.inf 內部原則區段。The Internal Policy section of the CAPolicy.inf is just shown as an example of how you would specify the location of a certificate practice statement (CPS). 本指南,您不指示建立憑證做法聲明 (CPS)。In this guide, you are not instructed to create the certificate practice statement (CPS).