RE: How to setup a secure SSL certificate authority machine

["Cisternas Marquez, Gonzalo" <gcisternas () cientec com>]

Hello:

Mi experience said, mainly in physical scurity:

- Let a laptop, with a mirrorer Usb-like storage (one storge with 2 mirrored disks).
- Install the laptop with Operating System, and a link to the USB, where resides your CA software. The Notebook is 
stored away the disks, two separate offices at the end of the use. No data is stored in the notebook jut a copy of the 
key of the crypt of the disk (if it's posible) would be posible to have in the laptop.
- A customer made an metal box of 200 lbs for store the hard drive and only left out-of-the-box the conector for the 
drive (Just an idea).
- no nic or wlan or pcmcia were allowed for the notebook.
- my procedure says that :"each certifícate is saved in a floppy of one-time-use", we update this policy and bougth may 
usb pendrives of 256 Mb for key delivery only, just fot this purpose. Actual equipment does not have floppy, and the 
media is not so reliable either!!.


I hope that could help.

-----Mensaje original-----
De: listbounce () securityfocus com [mailto:listbounce () securityfocus com] En nombre de sabatorg () gmail com
Enviado el: Miércoles, 13 de Mayo de 2009 15:54
Para: security-basics () securityfocus com
Asunto: How to setup a secure SSL certificate authority machine

I am working for a company that has several internal CA's which are used to sign internal certificates. We use a laptop 
which has no network connectivity and is stored in a lock-box while not in use for all of our key management. SSL keys 
are transported with a USB stick which is also stored along with the key machine. This makes it impossible for the 
security engineers to do any key management while they are not at the office (after hours, weekends, vacation, etc).

I would like to make the key machine accessible remotely but put some heavy restrictions on it. Some of the thoughts 
that I had were: 
1. Have a server in a raised floor environment with physical security as well as a server rack lock. 
2. Run some variant of Linux and require SSH key authentication to the host. This way I can enforce multi-factor 
authentication (ssh key and pass-phrase on the key). I can also make remote management be tunneled through the SSH 
connection. 
3. Have a VirtualBox guest be the keymachine. 
4. Setup an encrypted partition with a password on it for the Guest machine files and not have the partition mounted 
when the key machine is not in use.

Any feedback would be great!

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain 
a laser like insight into what is covered on the exam, with zero fluff! 

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain 
a laser like insight into what is covered on the exam, with zero fluff!

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------