Security Basics mailing list archives
Re: MS Stand-alone CA on Shared Server?
From: gjgowey () tmo blackberry net
Date: Thu, 16 Aug 2007 01:43:56 +0000
Huge mistake doesn't sum it up properly. When I worked with openca the way it works is that the public cert for the repository, the interface for users to request certs, and the CRL reside on one server connected to the network. However, the private key for the ca and the software to sign requests were housed on a separate, non-network connected box. The requests were literally transfered via floppy to the disconnected box to be signed making a ca compromise something that would take an insider with physical access to accomplish. Consider open ca because it has a better security model. Geoff Sent from my BlackBerry wireless handheld. -----Original Message----- From: "Megan Kielman" <megan.kielman () gmail com> Date: Wed, 15 Aug 2007 07:07:20 To:security-basics () securityfocus com Subject: MS Stand-alone CA on Shared Server? I sent an email out a few days ago and haven't heard a response, not sure if it didn't get sent or if nobody responded :) I apologize in advance if this is a duplicate. I have built a MS Stand-alone CA, as our certificate needs are very small, this is the only CA in the hierarchy. I have read from several sources that hosting the CA on a shared server is a bad idea, however, we do not have enough resources to host the CA on its own server, especially when it will have low utilization. Can anyone provide me with assistance in properly hardening this box? Am I making a huge mistake placing it on the same server that hosts our Operations Manager (monitoring) Root server? It is currently sitting on an internal isolated lan. The risks that I understand are that if the server is renamed, the issued certificates are no longer valid. Also, it is important that the CA is protected since if compromised the integrity of our certificates are lost. Thanks!
Current thread:
- MS Stand-alone CA on Shared Server? Megan Kielman (Aug 15)
- RE: MS Stand-alone CA on Shared Server? Ramsdell, Scott (Aug 16)
- RE: MS Stand-alone CA on Shared Server? Ackley, Alex (Aug 16)
- Re: MS Stand-alone CA on Shared Server? Megan Kielman (Aug 16)
- RE: MS Stand-alone CA on Shared Server? Ramsdell, Scott (Aug 16)
- Re: MS Stand-alone CA on Shared Server? Megan Kielman (Aug 17)
- RE: MS Stand-alone CA on Shared Server? Ramsdell, Scott (Aug 16)
- Re: MS Stand-alone CA on Shared Server? gjgowey (Aug 16)