We help IT Professionals succeed at work.

PKI infrastructure question

My company is looking to deploy an application that will require a large number of certificates. We’re leaning towards using our own servers as a CA. I’ve been reading up on PKI and was looking for a few questions to be answered.
If we’re going to be deploying client and server certificates using our own CA, do I need to register with any organizations? I will be deploying the root certificate on our client hosts so they trust the CAs but is there anything else I’d need to do? I’ve heard of something called an OID.  This statement came out of a Microsoft PKI book
“Where Do I Get an OID? An OID is a unique sequence of numbers that identifies a specific directory object or attribute. You can define an OID for a CPS as either a public OID or a private OID. If your organization plans to use PKI-enabled applications in conjunction with other organizations, you must obtain an OID from a public number-assignment company to ensure that your OID will be unique on the Internet. Sources for public OIDs include: The Internet Assigned Numbers Authority (IANA). This source issues free OIDs under the Private Enterprises arc. Every OID assigned by the IANA begins with the numbers, which represent iso(1).org(3).dod(6).internet(1).private(4).enterprise(1).

Komar, Brian (2010-03-23). Windows Server® 2008 PKI and Certificate Security (Pro Other) (p. 104). Microsoft Press. Kindle Edition.”

I’m not sure if we’ll need to do this or not?
Watch Question

Svet PaperovIT Manager

First, you need to answer to the following question: is it required that the server certificates are trusted from Internet or other non-domain users?

If yes: you need to get your internal CA certified from a trusted CA like Verisign for example. But this could be very expensive.

If the PKI will be for internal use only (local domain) then you don’t need a third-party certification and you can build your own Root CA.


So the model I'm looking at would be that our software would require that we deploy a remote virtual machine at our customer site. The VM would be deployed via a sysprepped image we send to the customer. The image would contain our CA in the trusted root authority list within windows. It would not need to be trusted by any other hosts or users other than those remote hosts. the monkey in the wrench would be that our customers will most likely join that VM to their AD domain.

Would this still require that we register for an OID?
IT Manager
No, you don't need to register nothing. Once the certificate of your CA is in the computer's trusted root authority list, the user won't bothered with invalid certificate.

Your concept is perfectly valid.


Excellent. Thank you for your help!

Explore More ContentExplore courses, solutions, and other research materials related to this topic.