|
Posted by jeffgr1776 via WinServerKB.com on June 6, 2007, 6:08 pm
Please log in for more thread options
I am interested in the feasibility of configuring a root CA as a virtual
machine, which can be "stored" offline. Any thoughts?
Also, with a root CA as a VM, how about storing the private key in a USB HSM
such as Luna?
Jeff
--
Message posted via WinServerKB.com
http://www.winserverkb.com/Uwe/Forums.aspx/windows-server-security/200706/1
|
|
Posted by S. Pidgorny on June 7, 2007, 5:01 am
Please log in for more thread options
Both feasible. Any details are you interested in?
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
* http://sl.mvps.org * http://msmvps.com/blogs/sp *
>I am interested in the feasibility of configuring a root CA as a virtual
> machine, which can be "stored" offline. Any thoughts?
>
> Also, with a root CA as a VM, how about storing the private key in a USB
> HSM
> such as Luna?
>
> Jeff
>
> --
> Message posted via WinServerKB.com
> http://www.winserverkb.com/Uwe/Forums.aspx/windows-server-security/200706/1
>
|
|
Posted by jeffgr1776 via WinServerKB.com on June 7, 2007, 10:28 am
Please log in for more thread options I've not set up a PKI before, but I have considerable MS doc and guidance
information.
The configuration I'm looking at would be a root CA as a VM, with one
subordinate/issuing
CA for our product and, later, one AD-integrated subordinate/issuing CA for
the enterprise,
about 150 people.
1) How well does this conform to best practices?
2) Any specific gotchas of which I should be aware?
3) Recommendations / experiences regarding HSMs, partcularly FIPS 140-2 level
4.
Jeff
S. Pidgorny <MVP> wrote:
>Both feasible. Any details are you interested in?
>
>>I am interested in the feasibility of configuring a root CA as a virtual
>> machine, which can be "stored" offline. Any thoughts?
>[quoted text clipped - 4 lines]
>>
>> Jeff
--
Message posted via WinServerKB.com
http://www.winserverkb.com/Uwe/Forums.aspx/windows-server-security/200706/1
|
|
Posted by Brian Komar on June 7, 2007, 4:16 pm
Please log in for more thread options On Wed, 06 Jun 2007 22:08:36 GMT, jeffgr1776 via WinServerKB.com wrote:
> I am interested in the feasibility of configuring a root CA as a virtual
> machine, which can be "stored" offline. Any thoughts?
>
> Also, with a root CA as a VM, how about storing the private key in a USB HSM
> such as Luna?
>
> Jeff
There are some risks, as it is very easy to walk out of a company with a
DVD containing the root CA.
You can use an HSM, but I have never heard of a USB HSM.
For offline roots, you only option that I am aware of is a network attached
HSM" Luna SA or nCipher netHSM.
As for support, the only supported virtualized environment is Microsoft
Virtual Server 2003 R2 SP1.
The virtualized CA must be running Windows Server 2003 SP1 or higher.\
HTH,
Brian
|
|
Posted by S. Pidgorny on June 8, 2007, 5:48 am
Please log in for more thread options G'day:
> As for support, the only supported virtualized environment is Microsoft
> Virtual Server 2003 R2 SP1.
Interesting. Is that CA-specific or general restriction?
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
* http://sl.mvps.org * http://msmvps.com/blogs/sp *
|
| Similar Threads | Posted | | Security within Virtual Machine | December 5, 2005, 6:16 am |
| Migrate Enterprise root authority CA to stand-alone root CA | December 13, 2005, 7:57 am |
| Stans-alone root CA or Enterprise root CA | August 31, 2006, 6:32 pm |
| Machine does not respond. | June 28, 2005, 12:42 pm |
| Any Way To Get Machine Name for Client in Event ID 560? | November 13, 2005, 6:38 pm |
| machine authentication for web site? | February 21, 2006, 10:09 am |
| .NET machine.config | June 13, 2006, 1:01 pm |
| Where to View Machine Certificate? | November 1, 2006, 2:25 am |
| IP of machine locking account? | March 13, 2008, 8:49 am |
| Maximum machine account password age | March 14, 2006, 6:24 am |
|
XML Sitemap