mailing list archives
MS Stand-alone CA on Shared Server?
From: "Megan Kielman" <megan.kielman () gmail com>
Date: Wed, 15 Aug 2007 07:07:20 -0700
I sent an email out a few days ago and haven't heard a response, not
sure if it didn't get sent or if nobody responded :) I apologize in
advance if this is a duplicate.
I have built a MS Stand-alone CA, as our certificate needs are very
small, this is the only CA in the hierarchy. I have read from several
sources that hosting the CA on a shared server is a bad idea, however,
we do not have enough resources to host the CA on its own server,
especially when it will have low utilization. Can anyone provide me
with assistance in properly hardening this box? Am I making a huge
mistake placing it on the same server that hosts our Operations
Manager (monitoring) Root server? It is currently sitting on an
internal isolated lan.
The risks that I understand are that if the server is renamed, the
issued certificates are no longer valid. Also, it is important that
the CA is protected since if compromised the integrity of our
certificates are lost.