Security Basics mailing list archives
RE: How to setup a secure SSL certificate authority machine
From: "Cisternas Marquez, Gonzalo" <gcisternas () cientec com>
Date: Mon, 18 May 2009 12:01:29 -0400
Hello: Mi experience said, mainly in physical scurity: - Let a laptop, with a mirrorer Usb-like storage (one storge with 2 mirrored disks). - Install the laptop with Operating System, and a link to the USB, where resides your CA software. The Notebook is stored away the disks, two separate offices at the end of the use. No data is stored in the notebook jut a copy of the key of the crypt of the disk (if it's posible) would be posible to have in the laptop. - A customer made an metal box of 200 lbs for store the hard drive and only left out-of-the-box the conector for the drive (Just an idea). - no nic or wlan or pcmcia were allowed for the notebook. - my procedure says that :"each certifícate is saved in a floppy of one-time-use", we update this policy and bougth may usb pendrives of 256 Mb for key delivery only, just fot this purpose. Actual equipment does not have floppy, and the media is not so reliable either!!. I hope that could help. -----Mensaje original----- De: listbounce () securityfocus com [mailto:listbounce () securityfocus com] En nombre de sabatorg () gmail com Enviado el: Miércoles, 13 de Mayo de 2009 15:54 Para: security-basics () securityfocus com Asunto: How to setup a secure SSL certificate authority machine I am working for a company that has several internal CA's which are used to sign internal certificates. We use a laptop which has no network connectivity and is stored in a lock-box while not in use for all of our key management. SSL keys are transported with a USB stick which is also stored along with the key machine. This makes it impossible for the security engineers to do any key management while they are not at the office (after hours, weekends, vacation, etc). I would like to make the key machine accessible remotely but put some heavy restrictions on it. Some of the thoughts that I had were: 1. Have a server in a raised floor environment with physical security as well as a server rack lock. 2. Run some variant of Linux and require SSH key authentication to the host. This way I can enforce multi-factor authentication (ssh key and pass-phrase on the key). I can also make remote management be tunneled through the SSH connection. 3. Have a VirtualBox guest be the keymachine. 4. Setup an encrypted partition with a password on it for the Guest machine files and not have the partition mounted when the key machine is not in use. Any feedback would be great! ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff! http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff! http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------
Current thread:
- How to setup a secure SSL certificate authority machine sabatorg (May 18)
- Re: How to setup a secure SSL certificate authority machine Lars (May 19)
- Re: How to setup a secure SSL certificate authority machine Brad Edmondson (May 19)
- RE: How to setup a secure SSL certificate authority machine Cisternas Marquez, Gonzalo (May 19)
- Re: How to setup a secure SSL certificate authority machine Lars (May 19)