Hi All, I have three types of user certs I need to issue: High, Medium, and Low - Hogh have smarcard reliance, Medium face to face interviews and low are auto enrole. This I can do no problem Now the question is based on OID's - I created the Issuing CA with three OID's in the CApolicy.inf file ok for the three levels of certs. How do I define in the certificate template which OID to use? - so users who apply for a High cert have oid 1.2.3.4 and people who apply for a low get 1.2.3.5 etc.. I'm assuming it is through editing the cert template - if not the only other way I can think of doing this is to create a root CA - three "policy CAs" and then subordiante issuing CA's from the policy CAs to enforce the assurance levels - but that seems like a silly use of a CA just for that. Help greatfully appreciated

You have to edit the certificate template, and then on the Extensions tab, create one certificate policy OID per assurance level. I do hope that you have used true OIDs (registered to your organization) and not 1.2.3.4 Once you create them, they are stored in the CN=OID container in the Configuration naming context, and can be simply added for each additional certificate template issued at that assurance level. Brian

Thanks for the reply Brian, thats pretty much what I thought. Thanks for the confirmation and appreciate your time Paul

What would you consider to be best practice: multiple OID's on an issuing CA with certificate templates (say for user certs, where you create 3 user cert types per assurace then assign OID to them as you descrbed) modidied for that OID. or a Policy CA dedicated to the single OID then to the issuing CA can only issue certs with one OID? And the OIDs would indeed be registered I was just uting in a little example :)

Both are best practices. It really depends on the design requirements: - Where will the CAs exist - Do separate teams manage each policy level - Do the policy levels reference different countries If it is a simple case of low, medium, and high assurance, then I typically lean to a single issuing CA, managed to the highest assurance level asserted for certificates issued by that CA Brian

Hi Brian, this was pretty much what i was thinking, good to get a second oppinion. thanks for you time. Paul