Re: Recommendations about 2-tier PKI, OIDs and CAPolicy.inf file

From: Eric Chamberlain (eric.chamberlain_at_newsgroups.nospam)
Date: 05/11/04

  • Next message: Steven L Umbach: "Re: Backing Up Local Policy Settings" 
    Date: Mon, 10 May 2004 19:22:56 -0700

    "Hans Walder pointag.net>" <hans.walder@<NO_SPAM> wrote in message
    news:B403713B-D610-4B86-B112-3717C076A996@microsoft.com...
    > Hello,
    >
    > can someone please give me some advices/comments to the following parts.
    >
    > Information:
    > we are a college and are going to introduce smart card logon for our
    students.
    > About 30 students are using it currently in a test enviroment and
    everything
    > works fine.
    >
    >
    > Our system (not including the test enviroment):
    > Existing:
    > 2 Domain Controllers (Windows 2003 Server Standard)
    >
    > Planned:
    > 1 Offline Root CA (Windows 2003 Enterprise)
    > 2 Online Sub CA (Windows 2003 Enterprise)... Enterprise Version, because
    of AutoEnrollment
    > n XP workstations
    >
    >
    > 1.) We have about 2.000 users. It is planned to have a 2 tier PKI
    structure.
    > In MS white papers it is described to use 2 Sub CAs for a 2 tier
    structure.
    > Is it because of load balancing? Do we need it for 2.000 students? And
    what would
    > be the recommended hardware configuration
    > for these servers. For the moment we have an offer with:
    > 2.8 GHz, 1024 MB RAM, 80 GB HDD,...
    >
    Hans,

    One CA should work fine for the number of users you have. Two issuing CA's
    can be a pain, because they don't share a database and you have to know
    which CA issued the certificate when checking for pending requests.

    > 2.) Should both CAs enroll user certs? Or one user certs and the other one
    enrolls
    > computer certs? And how would that be done? Does there exist some
    information online?
    >
    Either way would work. Controlling what each CA issues is based on the per
    CA Certificate Templates and permissions of each template

    > 3.) I have been using the CAPolicy.inf file for the Root CA installation.
    > For the moment I only added the sections
    >
    > [CRLDistributionPoint]
    >
    > [AuthorityInformationAccess]
    >
    > which are both empty (and it works fine).
    >

    You should populate these values with your CRL information or enter the
    information in the Certificate Manager MMC. See the link below for our inf
    file configuration.

    > But do I also have to/should I put the location of the policy file there
    (I mean on
    > base that we are "only" a school and not a private company)?
    > i.e.
    > [LegalPolicy]
    > OID=1.3.6.1.4.1.311.10.12.1
    > URL = "http://www.anydomain.net/CAPolicy/default.htm"
    >
    > And if yes, do I have to register for an OID or is it enough to use MS
    Default ones (are
    > there even default ones)?
    > I have found the following link:
    http://msdn.microsoft.com/library/default.asp?
    > url=/library/en-us/ad/ad/obtaining_an_object_identifier_from_microsoft.asp
    >
    > Is this how we have to obtain the OID?
    > (but as I mentioned we are "only" a school).
    >

    Yes the Legal Policy should go in the inf file. And you will need to
    register your OID, if your school doesn't already have an OID assigned, you
    can use Microsoft's registration tool. See the link below for our legal
    policy CPS information.

    >
    > Btw, does someone know about some universities using smart card logon or
    any reference
    > university/project ("from Microsoft") which educational institutions like
    we are could
    > contact to get some helpful "tips"? (if you don't want to publish
    information about
    > possible contacts in here you can contact me per email...just remove
    <NO_SPAM> from
    > my address.
    >

    Our smartcard project is documented at http://smartcard.berkeley.edu. Our
    PKI infrastructure is documented at http://calnetpki.berkeley.edu/. In the
    Implementation section, we have on-line copies of our configuration files
    and the steps we took to configure each CA and RA.

  • Next message: Steven L Umbach: "Re: Backing Up Local Policy Settings"

    Relevant Pages

    • Re: Recommendations about 2-tier PKI, OIDs and CAPolicy.inf file
      ... > we are a college and are going to introduce smart card logon for our ... do I have to register for an OID or is it enough to use MS ... Yes the Legal Policy should go in the inf file. ...
      (microsoft.public.win2000.security)
    • Re: Syncing 3 Freebsd servers accounts Question
      ... >>includes a chapter on how to migrate from NIS to LDAP. ... And you will need OID if you want to add your own extensions to ... clash with commonly distributed entries, it would be convenient to have ... S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt ...
      (freebsd-questions)
    • Re: How to have windows display proprietary OID and related text present in X509 V3 certificate ?
      ... If it is a CPS OID, yes you can add this OID using the certificate templates ... will that text be displayed when a human> relying party only double click on the certificate as it is the> case for the EKU statements?" ... > It seems that the answer to the "display" of the question is linked to> definition of the custom OID in a MS forest:> "If the computer is a member of the forest where the custom OID is ...
      (microsoft.public.security)
    • Re: Cant get ssl working
      ... OID is a string that specify the usage of the ceritifcate. ... certificate using wizard, you have no choice to select the OID. ... A server authentication certificate has the following OID: ...
      (microsoft.public.inetserver.iis.security)
    • Re: what is the key usage in certicate enrollment service?
      ... I still don't know what I should put in the OID ... field if I only want to apply a specific usage certificate. ...
      (microsoft.public.win2000.security)