As a Public Key Infrastructure (PKI) best practice, Certificate Policies are associated with a PKI by reserving and incorporating unique object identifiers (OID) into all or portions of your PKI. OIDs are used to assign one or more Certificate Policies to a given CA.
There are three basic methods that can be used to create the policy OIDs:
- Use the pre-assigned OIDs, built into Active Directory Certificate Services (AD CS), for low, medium, and high assurance.
- Use the “randomly assigned” feature of the Windows 2008/2012 CA.
- Register a public OID arc and define the policies under that arc instead of using a private OID (preferred method).
The first two options are available for private organization use. Implementing a private OID means you are setting an organizational boundary for your PKI. The third option is to use a public OID so that your PKI can work with other organizations.
This post will dive deeper into the second option; using the “randomly assigned” feature of the Windows 2008/2012 CA.
A forest unique, private OID is automatically generated by AD CS when the first domain-joined CA role is installed. In some cases, knowing this OID prior to installing the CA can be useful when creating your Certificate Policy and Certificate Practice Statement (CP/CPS) document set, or CA policy configuration files (CAPolicy.inf, Policy.inf).
In order to utilize a private OID for the CAPolicy.inf file, you will need to capture the value after the first part of the AD CS role installation, prior to starting the second part of configuring the CA.
The steps to obtain the forest unique private OID are as follows:
- Add the AD CS Role, but do not proceed to configure the CA until you have your OID. That is before you click the ‘Configure Active Directory Certificate Services on the destination server’ link in the Results window, or the ‘Post-deployment Configuration’ notifications flag in Server Manager.
- Run certtmpl.msc to add the Certificate Templates Console.
- Use the Certificate Templates Console to generate a new Issuance Policy. You can either use the entire OID provided by the console, or change the last two fields to suite your needs.
- Save the OID in your %windir%\CAPolicy.inf file.
- Resume the CA installation. Click the ‘Configure Active Directory Certificate Services on the destination server’ link in the AD CS Installation Results window, or use the ‘Post-deployment Configuration’ notifications flag in Server Manager to start the CA configuration and complete the CA installation as planned.
