nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

Real world of CA best practice

mikedisd2

This may be where certs collide with realism; what's the dope on CA servers. MS' best practice is to have a standalone root CA which is switched off and strapped with proximity bombs. Then have a member server as the issuing CA server.

For a company with about 500 users and 70 servers is this really necessary? I get there's a security risk having the root CA available but this must be negligible, yeah?

Find more posts tagged with

SAVE $250 on Your Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Boot Camps

Comments

lordy

You should have your Root-CA offline and locked up.

I think it's best practice to create it once, then sign your Sub-CAs (e.g. Server, Clients, Users) with it before locking it in a bank vault

bertieb

At the least, make it a VM and lock it away (I know... I know.... pro's and con's of having it as a VM on security grounds but as long as its documented and the risks understood etc)....

Put it this way, if you ever get an internal security audit it's a lot easier to explain why you have your root CA as a virtual machine locked away, than having to explain one which is online 24x7 as well as trying to reverse engineer that in the future.

Mojo_666

The reality is most places don't use them. Those that do do not keep them off-line, lock them up or surround them with nukes...they just don't and they just don't need to.

mikedisd2

bertieb wrote: »

Put it this way, if you ever get an internal security audit...

I hadn't thought about auditors. I guess that's a valid reason for having a root CA. And yeah, my client's is a VM. I just see it as a wasted 40GB taken up by another OS build.

Mojo_666 wrote: »

The reality is most places don't use them.

That's what I wanted to hear.

bertieb

mikedisd2 wrote: »

I hadn't thought about auditors. I guess that's a valid reason for having a root CA. And yeah, my client's is a VM. I just see it as a wasted 40GB taken up by another OS build.

Auditors......the bane of my life this last few years. Most projects that I have involvement with on existing client infrastructure these days tend to have a large element of 'take this auditors recommendation report and make it go away'..... I remember when IT used to be fun.