I'm in the process of standing up a 2-tier internal PKI for my organization consisting of a Stand-alone Root CA and an online Enterprise Issuing CA. The PKI is presently defined to be utilized for internal use only however having seen other examples of things morphing I want to be prepared while also following best practices. PolicyStatementExtension Confusion: In the "Plan for Certificate Issuance Policies" section of the Deploying and Managing PKI Inside Microsoft article it states: "specifying any individual policy OID overrides the "all" value". My organization has an IANA assigned OID and I was planning on utilizing it in my Enterprise Issuing CA capolicy.inf as follows: [PolicyStatementExtension ] Policies = MyCompanyCorporateCPS Critical = FALSE [UPSCorporateCPS] OID = 1.3.6.1.4.1.companyOID.340.1.1 NOTICE = My Company Corporate Certificate Practice Statement URL = "http://server1.mycompany.com/CPS/cps.asp" Is defining a PolicyStatementExtension and utilizing my company OID best practice? Will doing so present an issue in the future similar to the one explained in the article? Should I simple define the AllIssuance OID or simply leave the PolicyStatementExtension out of the capolicy.inf? EDITF_ATTRIBUTESUBJECTALTNAME2 Confusion: The Enterprise Issuing CA will need to issue certificates (mainly SSL) to a variety of platforms (Windows, Linux, etc.). Certificate enrollment for non-autoenrolled certificates will be done via a custom developed web application (not the CS Web Enrollment). I'm not familiar with how other platforms generate certificate requests. What is the best way to handle certificate requests requiring SAN? Do I need to enable +EDITF_ATTRIBUTESUBJECTALTNAME2 on the Enterprise Issuing CA? If yes, won't this go against the best practice of specifying a SAN by using certificate extensions instead of request attributes to avoid enabling EDITF_ATTRIBUTESUBJECTALTNAME2? Any help or suggestions on either of these is greatly appreciated. Thank you!! Paul

> Is defining a PolicyStatementExtension and utilizing my company OID best practice? yes. However for common issuing CAs it is recommended to use AllIssuancePolies OID and specify custom OIDs within certificate templates. > Do I need to enable +EDITF_ATTRIBUTESUBJECTALTNAME2 on the Enterprise Issuing CA? no. You should not enable this flag. Normally applications should supply SAN extension within CSR. Mentioned flag is used when you submit a request without SAN and you add SAN during submission (as a request attribute, not aan uthenticated extension). My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Vadims, Thanks for the feedback. Would the following be correct for the PolicyStatementExtension within capolicy.inf for my common issuing CA: [PolicyStatementExtension ] Policies = MyCompanyCorporateCPS Critical = FALSE [MyCompanyCorporateCPS] OID = 2.5.29.32.0 NOTICE = UPS Corporate Certificate Practice Statement URL = http://mywebserver.company.com/CPS/cps.asp Thanks! Paul

yes.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki