Q. I'm planning to set up an additional Windows enterprise Certification Authority (CA) in my Windows Server 2008 Active Directory (AD) forest. How can I make sure that the new CA doesn’t start issuing certificates until I've properly and completely configured the CA?

A. You can block your new CA from issuing new certificates by ensuring that it doesn’t have any preconfigured certificate templates when it boots up for the first time. You can accomplish this by adding the following line to the capolicy.inf configuration file:

LoadDefaultTemplates=False

This line must be added to the \\[certsrv_server\\] section of the capolicy.inf file. The LoadDefaultTemplates line controls whether the CA is configured with any of the default certificate templates. In the Windows CA configuration, certificate templates determine what types of certificates a CA can issue.

The LoadDefaultTemplates entry only applies during the installation of an enterprise CA—it doesn't affect a standalone CA. In the Active Directory Certification Service (ADCS), an enterprise CA is an AD-integrated CA. On Windows Server 2003 and Windows Server 2003 R2, the LoadDefaultTemplates setting only applies to root enterprise CAs and is ignored on a subordinate enterprise CA. On Server 2008 and Server 2008 R2, the LoadDefaultTemplates setting applies to both root and subordinate enterprise CAs.

In case you're not familiar with the capolicy.inf file: It's a configuration file that contains various settings that are used when installing a Windows CA or when renewing the CA certificate. The capolicy.inf file isn't required to install ADCS with the default settings, but in many cases the default settings are insufficient. Once you've created a capolicy.inf file, you must copy it to the %systemroot% folder of your server before you install the CA or renew the CA certificate. More information on the syntax of the capolicy.inf file can be found online at Microsoft Technet or MSDN.