Options

question about CA

donald7862003donald7862003 Member Posts: 128
in Planning Network Infra 70-293
On a standalone root CA can i just stop the server instead of shutting and/or disconnecting the server from the network. Why I ask is because it is suggested to shut the root CA down after distributing the certificate to the subordinate CA but what if i want to use that server for something else. Would it be a security risk to keep a "stopped" root CA on the network running another service?
On the road to MCITP......
· Share on FacebookShare on Twitter

Comments

  • Options
    hettyhetty Member Posts: 394
    From watching the CBT Nuggets, its suggested that the server is taken offline completely, whats to stop someone from starting the service up again or stealing the hard drive?. At the very least you could be running the root CA from a VM and securely encrypt it in a TrueCrypt volume or similar. And place that hard drive or dvd in the company safe.

    I havent read the book yet but im sure its something similar in operation.
    · Share on FacebookShare on Twitter
  • Options
    donald7862003donald7862003 Member Posts: 128
    hetty wrote:
    From watching the CBT Nuggets, its suggested that the server is taken offline completely, whats to stop someone from starting the service up again or stealing the hard drive?. At the very least you could be running the root CA from a VM and securely encrypt it in a TrueCrypt volume or similar. And place that hard drive or dvd in the company safe.

    I havent read the book yet but im sure its something similar in operation.


    Yeah but it sounds like a waste of hard drive. But ok.............
    On the road to MCITP......
    · Share on FacebookShare on Twitter
  • Options
    dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    Another scenario I've seen is to purchase another Windows license and dual-boot between a standard server and the CA server (on a separate set of disks), and when the CA is not in use, remove the disk(s) and lock them up. That way you don't have any idle server, but you still have your CA data protected.

    edit: Donald, this is recommended for large organizations. Having a CA compromised for thousands of users would be detrimental. A few thousand dollar server sitting in a locked closet is a small price to pay for that security. This isn't a recommended solution for a 25-person business.
    · Share on FacebookShare on Twitter
  • Options
    hettyhetty Member Posts: 394
    donald7862003 wrote:
    Yeah but it sounds like a waste of hard drive. But ok.............

    Believe me a $100 hard drive is nothing compared to the amount of man hours, downtime, loss of customer reputation and other liabilities that a corporate root CA could cause if it is out in the open. A Root CA could have 1000s or 10s of thousands of subordinates from that one root CA.
    · Share on FacebookShare on Twitter
  • Options
    hettyhetty Member Posts: 394
    dynamik wrote:
    edit: Donald, this is recommended for large organizations. Having a CA compromised for thousands of users would be detrimental. A few thousand dollar server sitting in a locked closet is a small price to pay for that security. This isn't a recommended solution for a 25-person business.
    +1
    · Share on FacebookShare on Twitter
  • Options
    donald7862003donald7862003 Member Posts: 128
    Yeah i see that i was looking from a small company point of view. thanks for the info
    On the road to MCITP......
    · Share on FacebookShare on Twitter
Sign In or Register to comment.