Guest hypnotix911 Posted March 30, 2008 Posted March 30, 2008 Enterprise three-tier CA hierarchy on virtual machines? Or any part of hierarchy (offline or online CAs )? Is it bad idea? Any thoughts? Tnx a lot. Quote
Guest Dobromir Todorov Posted March 31, 2008 Posted March 31, 2008 I don't think it is a bad idea - actually, considering the amount of computational resources required on a CA, it is probably a good idea to have all of them on small virtual machines. The only thing that comes to mind is the fact that the CA private key and other sensitive information better be stored on HSMs (should they be supported on VM - which I doubt), or SmartCards (these are supported, if connected to a USB slot). If the private key or other sensitive info is stored locally on the VM, considering the fact that the VM is just a file, then stealing the file is equivalent to breaking phusical security on real servers. -- --- HTH, Dobromir Learn more about Security and Identity Management: Visit http://www.iamechanics.com "hypnotix911" <hypnotix911@yahoo.com> wrote in message news:OC9JVIqkIHA.4076@TK2MSFTNGP05.phx.gbl...<span style="color:blue"> > Enterprise three-tier CA hierarchy on virtual machines? > Or any part of hierarchy (offline or online CAs )? Is it bad idea? > Any thoughts? > Tnx a lot. > </span> Quote
Guest Brian Komar \(MVP\) Posted April 1, 2008 Posted April 1, 2008 Only if you use a network attached HSM to protect the CA private keys Brian "hypnotix911" <hypnotix911@yahoo.com> wrote in message news:OC9JVIqkIHA.4076@TK2MSFTNGP05.phx.gbl...<span style="color:blue"> > Enterprise three-tier CA hierarchy on virtual machines? > Or any part of hierarchy (offline or online CAs )? Is it bad idea? > Any thoughts? > Tnx a lot. > </span> Quote
Guest hypnotix911 Posted April 1, 2008 Posted April 1, 2008 Thank you both, but what about using bitlocker on VM files? (we don't have a budget for HSM) "hypnotix911" <hypnotix911@yahoo.com> wrote in message news:OC9JVIqkIHA.4076@TK2MSFTNGP05.phx.gbl...<span style="color:blue"> > Enterprise three-tier CA hierarchy on virtual machines? > Or any part of hierarchy (offline or online CAs )? Is it bad idea? > Any thoughts? > Tnx a lot. > </span> Quote
Guest Brian Komar \(MVP\) Posted April 3, 2008 Posted April 3, 2008 That does not protect the private keys. Any body who is local Admin can: 1) Export the CA's private key and certificate 2) Import it into any computer they want 3) Issue a certificate that your org trusts and cannot revoke from the CA console What type of business are you in. Are you sure that you are making the right decision. But, to summarize, BitLocker does not replace a HSM Brian "hypnotix911" <hypnotix911@yahoo.com> wrote in message news:O7XW9MAlIHA.5820@TK2MSFTNGP04.phx.gbl...<span style="color:blue"> > Thank you both, > but what about using bitlocker on VM files? > (we don't have a budget for HSM) > > > > > "hypnotix911" <hypnotix911@yahoo.com> wrote in message > news:OC9JVIqkIHA.4076@TK2MSFTNGP05.phx.gbl...<span style="color:green"> >> Enterprise three-tier CA hierarchy on virtual machines? >> Or any part of hierarchy (offline or online CAs )? Is it bad idea? >> Any thoughts? >> Tnx a lot. >></span> > > </span> Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.