We've gone without a PKI a long time because every use
case that came up couldn't justify the outlay to stand
up a PKI and alternatives were always found. Sometimes
the concern over the operational costs and risks
associated with failures overrode the perceived benefits.
We're using Incommon for server certificates and plan
to use them for user and code signing certificates.
EFS certificates for the few places we implemented it
were created on an ad-hoc basis and manually backed up.
Once again, a use case has come up causing us to
revisit the decision for a campus PKI. This time to
support management of off-campus Windows computers
through Microsoft's Direct Access feature. We
currently manage almost all on-campus JMU owned
Windows computers using SCCM/SUP and Secunia and
would like to extend that to JMU owned computers
Given the Incommon services, I don't see a huge need
for something on campus other than to handle machine
certificates (for Direct Access and IPSEC) and
possibly to help distribute Incommon user certificates.
EFS and Bitlocker key management may enter the picture
too but they're not strategic encryption options at
this point. But maybe I'm missing something.
I'd like to get a feel from those of you who have
gone through this process of the time and labor
commitments necessary to:
1) Get up to speed on the intricacies of implementing
and operating a PKI. Frankly, I find it daunting.
Sure, we could copy others' CPS, bring one up, and
have it operating fairly quickly. But the complexities
of merging technologies with business policies in
things like certificate contents and practices
statements and the somewhat questionable
compatibility and finish of various "standards" and
products concerns me. I'm very worried about what
we don't know and I want to make sure we do it right
the first time.
2) Actual implementation time and personnel commitments.
3) Ongoing operating, maintenance, and support time and
I'd also like to ask if you know of a consultant who
has actually gone through this process in a higher
education environment who helped you set up something
that lasted through subsequent changes in use cases,
policies, integrations, and product changes and that
you'd recommend to others.
We'd probably be implementing using the Microsoft
Certificate Services product due to pricing and
compatibility with the perceived primary use cases.
Thanks in advance for any advice.
James Madison University