PKI (CA Hierarchy) and Hyper-V pros and cons

H

hypnotix911

Guest
Enterprise three-tier CA hierarchy on virtual machines?

Or any part of hierarchy (offline or online CAs )? Is it bad idea?

Any thoughts?

Tnx a lot.

 
D

Dobromir Todorov

Guest
I don't think it is a bad idea - actually, considering the amount of

computational resources required on a CA, it is probably a good idea to have

all of them on small virtual machines.

The only thing that comes to mind is the fact that the CA private key and

other sensitive information better be stored on HSMs (should they be

supported on VM - which I doubt), or SmartCards (these are supported, if

connected to a USB slot). If the private key or other sensitive info is

stored locally on the VM, considering the fact that the VM is just a file,

then stealing the file is equivalent to breaking phusical security on real

servers.

--

---

HTH,

Dobromir

Learn more about Security and Identity Management:

Visit http://www.iamechanics.com

"hypnotix911" <hypnotix911@yahoo.com> wrote in message

news:OC9JVIqkIHA.4076@TK2MSFTNGP05.phx.gbl...<span style="color:blue">

> Enterprise three-tier CA hierarchy on virtual machines?

> Or any part of hierarchy (offline or online CAs )? Is it bad idea?

> Any thoughts?

> Tnx a lot.

> </span>

 
B

Brian Komar \(MVP\)

Guest
Only if you use a network attached HSM to protect the CA private keys

Brian

"hypnotix911" <hypnotix911@yahoo.com> wrote in message

news:OC9JVIqkIHA.4076@TK2MSFTNGP05.phx.gbl...<span style="color:blue">

> Enterprise three-tier CA hierarchy on virtual machines?

> Or any part of hierarchy (offline or online CAs )? Is it bad idea?

> Any thoughts?

> Tnx a lot.

> </span>

 
H

hypnotix911

Guest
Thank you both,

but what about using bitlocker on VM files?

(we don't have a budget for HSM)

"hypnotix911" <hypnotix911@yahoo.com> wrote in message

news:OC9JVIqkIHA.4076@TK2MSFTNGP05.phx.gbl...<span style="color:blue">

> Enterprise three-tier CA hierarchy on virtual machines?

> Or any part of hierarchy (offline or online CAs )? Is it bad idea?

> Any thoughts?

> Tnx a lot.

> </span>

 
B

Brian Komar \(MVP\)

Guest
That does not protect the private keys.

Any body who is local Admin can:

1) Export the CA's private key and certificate

2) Import it into any computer they want

3) Issue a certificate that your org trusts and cannot revoke from the CA

console

What type of business are you in. Are you sure that you are making the right

decision.

But, to summarize, BitLocker does not replace a HSM

Brian

"hypnotix911" <hypnotix911@yahoo.com> wrote in message

news:O7XW9MAlIHA.5820@TK2MSFTNGP04.phx.gbl...<span style="color:blue">

> Thank you both,

> but what about using bitlocker on VM files?

> (we don't have a budget for HSM)

>

>

>

>

> "hypnotix911" <hypnotix911@yahoo.com> wrote in message

> news:OC9JVIqkIHA.4076@TK2MSFTNGP05.phx.gbl...<span style="color:green">

>> Enterprise three-tier CA hierarchy on virtual machines?

>> Or any part of hierarchy (offline or online CAs )? Is it bad idea?

>> Any thoughts?

>> Tnx a lot.

>></span>

>

> </span>

 
You must log in or register to reply here.
Top Bottom