Configuring the policy and exit modules

The administrator of a certification authority (CA) can configure a number of settings in the default policy and exit modules provided with Certificate Services by using the Certification Authority snap-in.

Policy module settings you can change:

Certificate revocation list distribution points. You can add or remove certificate revocation list distribution point addresses, which are the URLs a CA writes in every certificate which tell the verifier of a certificate where to retrieve the current version of the CA's certificate revocation list (CRL). These URLs can be either HTTP, FTP, LDAP, or FILE addresses. You can use variables when specifying the address of the CRL Distribution Point (CDP). Refer to the variable table in the procedure for further information about the variables you can use in a URL.

For the procedure to change the CRL distribution points, see Specify certificate revocation list distribution points in issued certificates.

Authority information access points. You can add or remove authority information access addresses, which are the URLs in the certificates that a CA issues which tell the verifier of a certificate where to retrieve the certificate of the CA. These addresses can be either HTTP, FTP, LDAP, or FILE addresses. Like the CRL distribution point URLs, you can use variables when specifying the address of the authority information access point. Refer to the variable table in the procedure for further information about the variables you can use in a URL.

For the procedure to change the authority information access points., see Specify CA certificate access points in issued certificates.

(For stand-alone CAs only) The default action of the certification authority upon receiving a valid certificate request. You can specify whether a stand-alone CA will hold incoming certificate requests as pending or automatically issue the certificate. In most cases, for security reasons, it is recommended that all incoming certificate requests to a stand-alone CA be marked as pending.

For the procedure to change the default action of a stand-alone certification authority upon receipt of a certificate request, see Set the default action upon receipt of a certificate request.

Exit module settings you can change:

Allow certificate publication to Active Directory. You can select whether to allow the publishing of certificates to Active Directory when they are issued. They will be associated with the object in Active Directory to which they were issued.

For the procedure to allow or disallow the publishing of certificates to Active Directory, see Publish certificates to Active Directory.

Allow certificate publication to the file system. You can select whether to allow the publishing of certificates to the file system. Actual publication will only occur if the certificate request specifies a file system location where the certificate is to be published.

For the procedure to allow or disallow the publishing of certificates to the file system, see Publish certificates to the file system.

If you want to replace the policy module provided with Certificate Services with a custom policy module or a policy module developed for Certificate Server 1.0 and Windows NT 4.0, you must first register the policy module .dll file using the rgsrv32 yourmodule.dll command and then follow the procedure in Select a different policy module.