Time and labor commitment to stand up a PKI

[Gary Flynn <flynngn () JMU EDU>]

Hi,

We've gone without a PKI a long time because every use
case that came up couldn't justify the outlay to stand
up a PKI and alternatives were always found. Sometimes
the concern over the operational costs and risks
associated with failures overrode the perceived benefits.

We're using Incommon for server certificates and plan
to use them for user and code signing certificates.
EFS certificates for the few places we implemented it
were created on an ad-hoc basis and manually backed up.

Once again, a use case has come up causing us to
revisit the decision for a campus PKI. This time to
support management of off-campus Windows computers
through Microsoft's Direct Access feature. We
currently manage almost all on-campus JMU owned
Windows computers using SCCM/SUP and Secunia and
would like to extend that to JMU owned computers
off-campus.

Given the Incommon services, I don't see a huge need
for something on campus other than to handle machine
certificates (for Direct Access and IPSEC) and
possibly to help distribute Incommon user certificates.
EFS and Bitlocker key management may enter the picture
too but they're not strategic encryption options at
this point. But maybe I'm missing something.

I'd like to get a feel from those of you who have
gone through this process of the time and labor
commitments necessary to:

1) Get up to speed on the intricacies of implementing
   and operating a PKI. Frankly, I find it daunting.
   Sure, we could copy others' CPS, bring one up, and
   have it operating fairly quickly. But the complexities
   of merging technologies with business policies in
   things like certificate contents and practices
   statements and the somewhat questionable
   compatibility and finish of various "standards" and
   products concerns me. I'm very worried about what
   we don't know and I want to make sure we do it right
   the first time.

2) Actual implementation time and personnel commitments.

3) Ongoing operating, maintenance, and support time and
   costs.

I'd also like to ask if you know of a consultant who
has actually gone through this process in a higher
education environment who helped you set up something
that lasted through subsequent changes in use cases,
policies, integrations, and product changes and that
you'd recommend to others.

We'd probably be implementing using the Microsoft
Certificate Services product due to pricing and
compatibility with the perceived primary use cases.

Thanks in advance for any advice.


--
Gary Flynn
Security Engineer
James Madison University

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature