Recommendations about 2-tier PKI, OIDs and CAPolicy.inf file

[Guest]

Hello

can someone please give me some advices/comments to the following parts

Information:
we are a college and are going to introduce smart card logon for our students
About 30 students are using it currently in a test enviroment and everything
works fine

Our system (not including the test enviroment)
Existing
2 Domain Controllers (Windows 2003 Server Standard

Planned
1 Offline Root CA (Windows 2003 Enterprise
2 Online Sub CA (Windows 2003 Enterprise)... Enterprise Version, because of AutoEnrollmen
n XP workstation

1.) We have about 2.000 users. It is planned to have a 2 tier PKI structure
In MS white papers it is described to use 2 Sub CAs for a 2 tier structure
Is it because of load balancing? Do we need it for 2.000 students? And what would
be the recommended hardware configuratio
for these servers. For the moment we have an offer with
2.8 GHz, 1024 MB RAM, 80 GB HDD,..

2.) Should both CAs enroll user certs? Or one user certs and the other one enroll
computer certs? And how would that be done? Does there exist some information online

3.) I have been using the CAPolicy.inf file for the Root CA installation
For the moment I only added the sections

[CRLDistributionPoint

[AuthorityInformationAccess

which are both empty (and it works fine)

But do I also have to/should I put the location of the policy file there (I mean o
base that we are "only" a school and not a private company)
i.e.
[LegalPolicy
OID=1.3.6.1.4.1.311.10.12.
URL = "http://www.anydomain.net/CAPolicy/default.htm

And if yes, do I have to register for an OID or is it enough to use MS Default ones (ar
there even default ones)
I have found the following link: http://msdn.microsoft.com/library/default.asp
url=/library/en-us/ad/ad/obtaining_an_object_identifier_from_microsoft.as

Is this how we have to obtain the OID?
(but as I mentioned we are "only" a school)

Btw, does someone know about some universities using smart card logon or any referenc
university/project ("from Microsoft") which educational institutions like we are could
contact to get some helpful "tips"? (if you don't want to publish information about
possible contacts in here you can contact me per email...just remove <NO_SPAM> from
my address

Thank you for any information you can give me

Best regards
Hans

 

[Eric Chamberlain]

Hello,

can someone please give me some advices/comments to the following parts.

Information:
we are a college and are going to introduce smart card logon for our students.
About 30 students are using it currently in a test enviroment and everything
works fine.


Our system (not including the test enviroment):
Existing:
2 Domain Controllers (Windows 2003 Server Standard)

Planned:
1 Offline Root CA (Windows 2003 Enterprise)
2 Online Sub CA (Windows 2003 Enterprise)... Enterprise Version, because of AutoEnrollment
n XP workstations


1.) We have about 2.000 users. It is planned to have a 2 tier PKI structure.
In MS white papers it is described to use 2 Sub CAs for a 2 tier structure.
Is it because of load balancing? Do we need it for 2.000 students? And what would
be the recommended hardware configuration
for these servers. For the moment we have an offer with:
2.8 GHz, 1024 MB RAM, 80 GB HDD,...

Hans,

One CA should work fine for the number of users you have. Two issuing CA's
can be a pain, because they don't share a database and you have to know
which CA issued the certificate when checking for pending requests.

2.) Should both CAs enroll user certs? Or one user certs and the other one enrolls
computer certs? And how would that be done? Does there exist some information online?

Either way would work. Controlling what each CA issues is based on the per
CA Certificate Templates and permissions of each template

3.) I have been using the CAPolicy.inf file for the Root CA installation.
For the moment I only added the sections

[CRLDistributionPoint]

[AuthorityInformationAccess]

which are both empty (and it works fine).

You should populate these values with your CRL information or enter the
information in the Certificate Manager MMC. See the link below for our inf
file configuration.

But do I also have to/should I put the location of the policy file there (I mean on
base that we are "only" a school and not a private company)?
i.e.
[LegalPolicy]
OID=1.3.6.1.4.1.311.10.12.1
URL = "http://www.anydomain.net/CAPolicy/default.htm"

And if yes, do I have to register for an OID or is it enough to use MS Default ones (are
there even default ones)?
I have found the following link: http://msdn.microsoft.com/library/default.asp?
url=/library/en-us/ad/ad/obtaining_an_object_identifier_from_microsoft.asp

Is this how we have to obtain the OID?
(but as I mentioned we are "only" a school).

Yes the Legal Policy should go in the inf file. And you will need to
register your OID, if your school doesn't already have an OID assigned, you
can use Microsoft's registration tool. See the link below for our legal
policy CPS information.

Btw, does someone know about some universities using smart card logon or any reference
university/project ("from Microsoft") which educational institutions like we are could
contact to get some helpful "tips"? (if you don't want to publish information about
possible contacts in here you can contact me per email...just remove

my address.

Our smartcard project is documented at http://smartcard.berkeley.edu. Our
PKI infrastructure is documented at http://calnetpki.berkeley.edu/. In the
Implementation section, we have on-line copies of our configuration files
and the steps we took to configure each CA and RA.

 

[Guest]

----- Eric Chamberlain wrote: ----

Hello
we are a college and are going to introduce smart card logon for ou students
About 30 students are using it currently in a test enviroment an everythin
works fine
Existing
2 Domain Controllers (Windows 2003 Server Standard
1 Offline Root CA (Windows 2003 Enterprise
2 Online Sub CA (Windows 2003 Enterprise)... Enterprise Version, becaus of AutoEnrollmen
n XP workstation structure
In MS white papers it is described to use 2 Sub CAs for a 2 tie structure
Is it because of load balancing? Do we need it for 2.000 students? An what woul
be the recommended hardware configuratio
for these servers. For the moment we have an offer with
2.8 GHz, 1024 MB RAM, 80 GB HDD,..

Hans

One CA should work fine for the number of users you have. Two issuing CA'
can be a pain, because they don't share a database and you have to kno
which CA issued the certificate when checking for pending requests

2.) Should both CAs enroll user certs? Or one user certs and the other on enroll
computer certs? And how would that be done? Does there exist som

information online

Either way would work. Controlling what each CA issues is based on the pe
CA Certificate Templates and permissions of each templat

3.) I have been using the CAPolicy.inf file for the Root CA installation
For the moment I only added the section

[CRLDistributionPoint
[AuthorityInformationAccess
which are both empty (and it works fine)

You should populate these values with your CRL information or enter th
information in the Certificate Manager MMC. See the link below for our in
file configuration

But do I also have to/should I put the location of the policy file ther (I mean o
base that we are "only" a school and not a private company)
i.e
[LegalPolicy
OID=1.3.6.1.4.1.311.10.12.
URL = "http://www.anydomain.net/CAPolicy/default.htm

And if yes, do I have to register for an OID or is it enough to use M

Default ones (ar
there even default ones)
I have found the following link http://msdn.microsoft.com/library/default.asp

url=/library/en-us/ad/ad/obtaining_an_object_identifier_from_microsoft.as
Is this how we have to obtain the OID

(but as I mentioned we are "only" a school)

Yes the Legal Policy should go in the inf file. And you will need t
register your OID, if your school doesn't already have an OID assigned, yo
can use Microsoft's registration tool. See the link below for our lega
policy CPS information

any referenc
university/project ("from Microsoft") which educational institutions lik we are coul
contact to get some helpful "tips"? (if you don't want to publis information abou
possible contacts in here you can contact me per email...just remov

my address

Our smartcard project is documented at http://smartcard.berkeley.edu. Ou
PKI infrastructure is documented at http://calnetpki.berkeley.edu/. In th
Implementation section, we have on-line copies of our configuration file
and the steps we took to configure each CA and RA

Thank you very much for this information

Best regards
Hans