Real world of CA best practice

mikedisd2mikedisd2 Member Posts: 1,096 ■■■■■□□□□□
in Off-Topic
This may be where certs collide with realism; what's the dope on CA servers. MS' best practice is to have a standalone root CA which is switched off and strapped with proximity bombs. Then have a member server as the issuing CA server.

For a company with about 500 users and 70 servers is this really necessary? I get there's a security risk having the root CA available but this must be negligible, yeah?
· Share on FacebookShare on Twitter

Comments

  • lordylordy Member Posts: 632 ■■■■□□□□□□
    You should have your Root-CA offline and locked up.

    I think it's best practice to create it once, then sign your Sub-CAs (e.g. Server, Clients, Users) with it before locking it in a bank vault :)
    Working on CCNP: [X] SWITCH --- [ ] ROUTE --- [ ] TSHOOT
    Goal for 2014: RHCA
    Goal for 2015: CCDP
    · Share on FacebookShare on Twitter
  • bertiebbertieb Member Posts: 1,031 ■■■■■■□□□□
    At the least, make it a VM and lock it away (I know... I know.... pro's and con's of having it as a VM on security grounds but as long as its documented and the risks understood etc)....

    Put it this way, if you ever get an internal security audit it's a lot easier to explain why you have your root CA as a virtual machine locked away, than having to explain one which is online 24x7 as well as trying to reverse engineer that in the future.
    The trouble with quotes on the internet is that you can never tell if they are genuine - Abraham Lincoln
    · Share on FacebookShare on Twitter
  • Mojo_666Mojo_666 Member Posts: 438
    The reality is most places don't use them. Those that do do not keep them off-line, lock them up or surround them with nukes...they just don't and they just don't need to.
    · Share on FacebookShare on Twitter
  • mikedisd2mikedisd2 Member Posts: 1,096 ■■■■■□□□□□
    bertieb wrote: »
    Put it this way, if you ever get an internal security audit...
    I hadn't thought about auditors. I guess that's a valid reason for having a root CA. And yeah, my client's is a VM. I just see it as a wasted 40GB taken up by another OS build.
    Mojo_666 wrote: »
    The reality is most places don't use them.
    That's what I wanted to hear.
    · Share on FacebookShare on Twitter
  • bertiebbertieb Member Posts: 1,031 ■■■■■■□□□□
    mikedisd2 wrote: »
    I hadn't thought about auditors. I guess that's a valid reason for having a root CA. And yeah, my client's is a VM. I just see it as a wasted 40GB taken up by another OS build.

    Auditors......the bane of my life this last few years. Most projects that I have involvement with on existing client infrastructure these days tend to have a large element of 'take this auditors recommendation report and make it go away'..... I remember when IT used to be fun.
    The trouble with quotes on the internet is that you can never tell if they are genuine - Abraham Lincoln
    · Share on FacebookShare on Twitter
Sign In or Register to comment.