I'm in the planning phase of a simple 2 tier PKI deployment. I plan on having an offline root CA and 1 or 2 enterprise Subordinate CAs. At this time they will only be used to auto enroll computer certs to windows workstations for 802.1x port based authentication. I'm trying to make sure that I build it out so It covers our needs in the future. In the last few days I've read a lot of blog as well as the MS press 2008 PKI book. I still have some questions that I would like some clarification on.
1) CDP and AIA extensions - Why would I even publish this to AD and use LDAP? Would I not be better off publishing this to two webservers and throw a loadbalancer in front for the clients to connect to? I'm not sure what the benefits of placing it in AD does other then cause slower replication and limit the number of client that can use it.
2) After I install the rootCA do I go into the extensions and point the CDP and AIA to those webservers and then copy the crt and crl the the folder?
3) OID in the CApolicy.inf - I still don't get it. Do I need this in the CApolicy? what exactly happens if I don't have it? Is this some thing that I can add to the CApolicy and renew the CA cert in the future? If my certs are strictly within my organization will that make a difference?
I appreciate the insight. PKI is something I dont want to redo in 2 years because I messed it up! Thanks.