OID Certificate Templates
Hi All, I have three types of user certs I need to issue: High, Medium, and Low - Hogh have smarcard reliance, Medium face to face interviews and low are auto enrole. This I can do no problem Now the question is based on OID's - I created the Issuing CA with three OID's in the CApolicy.inf file ok for the three levels of certs. How do I define in the certificate template which OID to use? - so users who apply for a High cert have oid 1.2.3.4 and people who apply for a low get 1.2.3.5 etc.. I'm assuming it is through editing the cert template - if not the only other way I can think of doing this is to create a root CA - three "policy CAs" and then subordiante issuing CA's from the policy CAs to enforce the assurance levels - but that seems like a silly use of a CA just for that. Help greatfully appreciated
April 18th, 2011 12:54am

You have to edit the certificate template, and then on the Extensions tab, create one certificate policy OID per assurance level. I do hope that you have used true OIDs (registered to your organization) and not 1.2.3.4 Once you create them, they are stored in the CN=OID container in the Configuration naming context, and can be simply added for each additional certificate template issued at that assurance level. Brian
Free Windows Admin Tool Kit Click here and download it now
April 18th, 2011 2:36am

What would you consider to be best practice: multiple OID's on an issuing CA with certificate templates (say for user certs, where you create 3 user cert types per assurace then assign OID to them as you descrbed) modidied for that OID. or a Policy CA dedicated to the single OID then to the issuing CA can only issue certs with one OID? And the OIDs would indeed be registered I was just uting in a little example :)
April 18th, 2011 3:05pm

Both are best practices. It really depends on the design requirements: - Where will the CAs exist - Do separate teams manage each policy level - Do the policy levels reference different countries If it is a simple case of low, medium, and high assurance, then I typically lean to a single issuing CA, managed to the highest assurance level asserted for certificates issued by that CA Brian
Free Windows Admin Tool Kit Click here and download it now
April 18th, 2011 4:33pm

Hi Brian, this was pretty much what i was thinking, good to get a second oppinion. thanks for you time. Paul
April 29th, 2011 3:06pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics