mailing list archives
RE: MS Stand-alone CA on Shared Server?
From: "Ackley, Alex" <aackley () epmgpc com>
Date: Thu, 16 Aug 2007 12:15:17 -0400
Megan, I'll second this idea. This is exactly what we do. We virtualized our Root CA and then created a subordinate
CA to actually issue all of our certs. Powered down the root and been working just fine.
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Ramsdell, Scott
Sent: Thursday, August 16, 2007 9:32 AM
To: Megan Kielman; security-basics () securityfocus com
Subject: RE: MS Stand-alone CA on Shared Server?
Do you have the option of virtualizing this box? You would then be able to run the virtual certificate root, authorize
a subordinate, then power the root down. Your subordinate would run on the shared server. You would then be able to
bring the root back up to revoke any cert if the subordinate was compromised.
Within Active Directory you will specify the recovery agent and other roles. To protect your cert server, ensure those
roles are properly assigned and monitor changes to those roles. Ideally, the recovery agent would be someone other
than the LAN admin or default domain admin account, otherwise the LAN admin has free reign. Make the recovery agent an
IT manager or HR type.
Only you can weigh your risks, and you'll want to consider how the certs are being used. Are you only signing internal
emails to add authenticity? If so, that's less of a risk than if you're using the certs to auth to MSGINA. If you're
using the certs to encrypt file systems, make sure you're taking advantage of Cert Server 2003's ability to centrally
store the certs. That way you'll be able to recover encrypted files with the recovery agent.
The certs are stored differently than on a host, they're in a secured database accessible through AD cert services
only. So, an admin of the server wouldn't have an easy time of exporting the certs, as you can't simply export them
the usual way you would a local cert.
I'm sure others on the list with more experience can contribute more specific info as well.
CISSP, CCNA, MCSE
Security Network Engineer
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Megan Kielman
Sent: Wednesday, August 15, 2007 9:07 AM
To: security-basics () securityfocus com
Subject: MS Stand-alone CA on Shared Server?
I sent an email out a few days ago and haven't heard a response, not
sure if it didn't get sent or if nobody responded :) I apologize in
advance if this is a duplicate.
I have built a MS Stand-alone CA, as our certificate needs are very
small, this is the only CA in the hierarchy. I have read from several
sources that hosting the CA on a shared server is a bad idea, however,
we do not have enough resources to host the CA on its own server,
especially when it will have low utilization. Can anyone provide me
with assistance in properly hardening this box? Am I making a huge
mistake placing it on the same server that hosts our Operations
Manager (monitoring) Root server? It is currently sitting on an
internal isolated lan.
The risks that I understand are that if the server is renamed, the
issued certificates are no longer valid. Also, it is important that
the CA is protected since if compromised the integrity of our
certificates are lost.