4

I am interested in utilizing ADCS to generate trusted certificates for internal web applications. However, from my readings it appears that I need to purchase an OID, which looks pretty expensive. Is there a way to do this without paying? This is only to be used internally.

appsecguy
  • 209
  • 2
  • 5
  • This is Active Directory Certificate Services? Can you provide a link as to why you think you need to purchase an OID? – RoraΖ Mar 26 '15 at 16:59
  • you mean you want a private OID? – schroeder Mar 26 '15 at 17:00
  • https://technet.microsoft.com/en-us/library/cc772393%28v=ws.10%29.aspx – appsecguy Mar 26 '15 at 17:32
  • The above link seems to indicate I needed an OID. – appsecguy Mar 26 '15 at 17:32
  • Sorry, I don't see Oracle Internet Database mentioned anywhere on that page. – RoraΖ Mar 26 '15 at 17:44
  • Sorry, this is the one: https://technet.microsoft.com/en-us/library/hh831348.aspx – appsecguy Mar 26 '15 at 17:50
  • In a multi-tier PKI architecture you might. But would you need that level for internal web applications? You might be able to get away with a single tier (1 CA). – RoraΖ Mar 26 '15 at 17:59
  • 1
    @raz I got no idea how you could infer that OID in this context is Oracle Internet Database when it's obvious for anyone with actual CA experience that it it an Object IDentifier we are speaking about... – Bruno Rohée Mar 26 '15 at 18:37
  • Thanks for the info. I was thinking of two tiers - one offline standalone CA, and one enterprise issuing CA – appsecguy Mar 26 '15 at 18:45
  • Why did this get migrated from security? – Jim B Mar 26 '15 at 20:01
  • @JimB because it appears to be a MS-specific configuration question. – schroeder Mar 26 '15 at 21:11
  • Technically it is not necessary to have an OID. You would need to OID to link the CP/CPS in your certificate. If you are using the certificate services only internally... ...well. Getting an OID from the IANA can take several weeks, although it does not cost anything. – cornelinux Mar 27 '15 at 13:47
  • Nor must you purchase your own 10.0.0.0 or 192.168.0.0 IP addresses. ;) – Ryan Ries Mar 28 '15 at 14:08

2 Answers2

3

The very link you provide to prove that you need an OID, also includes the process you need to create your own for free for internal purposes. There's a script that you can run to make your own:

https://gallery.technet.microsoft.com/scriptcenter/56b78004-40d0-41cf-b95e-6e795b2e8a06

schroeder
  • 276
  • 2
  • 4
  • 15
2

Getting a Private Enterprise Number from IANA is free as far as I know.

http://pen.iana.org/pen/PenApplication.page

You should also be able to get one under your country branch from your national standard body (link to do so from that Microsoft Kb page : https://msdn.microsoft.com/library/windows/desktop/ms677621.aspx )

Bruno Rohée
  • 265
  • 1
  • 8