PKI has made my life much easier

Our PKI system was originally put into place to allow for EFS on Windows XP Pro computers in a domain environment. Since then, we've utilized our PKI for 802.1x authentication (wired and wireless) on our network using EAP-TLS, email signature and encryption, HP Systems Insight Manager trusts, and other applications that have required authentication and/or client verification. Getting a PKI setup initially is very tricky, with many things that can cause the system to break, some lessons learned were:

• Set the root's CA's expiration date to something rather out there (I chose 75 years.)
• The root CA should never be on the network, not even for security updates. A VM with no network card works great for this. We only power it on once a year to publish the CRL to a floppy disk. The Sub CA stays on the network and publishes a CA (with deltas) constantly.
  
• Ensure that you have your CRL publish to multiple locations, including one off of your network completely. Our corporate web site serves this purpose.
  
• Test and document certificate revocation steps.
• Test and document certificate and document (EFS) recovery steps.
  
• To utilize Microsoft's CA capabiltites completely, your Enterprise CA needs to run on Windows 2003 Enterprise.

Again, the PKI is not easy to initially setup, but once done, adding additional things like EFS, SSL VPN, and encrypted email become simple.