Re: Virtualized Certificate Authority Services

May 21, 2008

Yes some have virtualised the CAs. Problem being - you have difficulty using

HSMs for key storage. If HSM isn't a requirement, you're good to go.

At the first glimpse your plan is inconsistent (why use physical Enterprise

CA?) and overly complicated (why do you need the three subordinates?).

I'm cross-posting this to security groups where PKI matters are discussed a

lot.

--

Svyatoslav Pidgorny, MS MVP - Security, MCSE

-= F1 is the key =-

http://sl.mvps.org http://msmvps.com/blogs/sp

"Sam" <Sam@discussions.microsoft.com> wrote in message

news:AF43BA1A-6DB7-4DD3-9BAA-41ADF3639DEE@microsoft.com...

>I am in the process of defining the CA architecture needs for my company.

>We

> are a single forest/domain so pretty simple and basic. Always looking to

> reduce capital costs, I was wondering if anyone has virtualized their

> entire

> CA infrastructure?

> My plan was to have a Virtual root, and filing the vmdk files in a safe

> location and then having 1 physical Enterprise, and 3 subordinates. I'd

> like

> to do all 4 intermediate and subordinates as Virtual servers rather than

> physical.

>

> Anyone experience any issues or even tried this?

>

>

May 21, 2008

Thanks for the response.

We have three geographical hubs - Western & Eastern Canada, & US with

additional plan sites. For fault tolerance, I thought it would be a good idea

to have one in each area.

I will fully admit though that I do not know very much about CA services and

am learning from reading as much as I can. I fully appreciate any feedback

you provide.

The enterprise CA - can it provide service to 3000 Users/Computers without

issues? I would prefer to have only one server to manage. We will basically

be using the service for EFS and some email encryption to start. Eventually

will branch out to SAP Dev and some internal Web services. Once experience is

there, will likely replace all external SSL certs within our external Web

services.

"S. Pidgorny <MVP>" wrote:

> Yes some have virtualised the CAs. Problem being - you have difficulty using

> HSMs for key storage. If HSM isn't a requirement, you're good to go.

>

> At the first glimpse your plan is inconsistent (why use physical Enterprise

> CA?) and overly complicated (why do you need the three subordinates?).

>

> I'm cross-posting this to security groups where PKI matters are discussed a

> lot.

>

> --

> Svyatoslav Pidgorny, MS MVP - Security, MCSE

> -= F1 is the key =-

>

> http://sl.mvps.org http://msmvps.com/blogs/sp

>

> "Sam" <Sam@discussions.microsoft.com> wrote in message

> news:AF43BA1A-6DB7-4DD3-9BAA-41ADF3639DEE@microsoft.com...

> >I am in the process of defining the CA architecture needs for my company.

> >We

> > are a single forest/domain so pretty simple and basic. Always looking to

> > reduce capital costs, I was wondering if anyone has virtualized their

> > entire

> > CA infrastructure?

> > My plan was to have a Virtual root, and filing the vmdk files in a safe

> > location and then having 1 physical Enterprise, and 3 subordinates. I'd

> > like

> > to do all 4 intermediate and subordinates as Virtual servers rather than

> > physical.

> >

> > Anyone experience any issues or even tried this?

> >

> >

>

>

May 21, 2008

On Wed, 21 May 2008 06:28:03 -0700, Sam wrote:

> Thanks for the response.

> We have three geographical hubs - Western & Eastern Canada, & US with

> additional plan sites. For fault tolerance, I thought it would be a good idea

> to have one in each area.

> I will fully admit though that I do not know very much about CA services and

> am learning from reading as much as I can. I fully appreciate any feedback

> you provide.

>

> The enterprise CA - can it provide service to 3000 Users/Computers without

> issues? I would prefer to have only one server to manage. We will basically

> be using the service for EFS and some email encryption to start. Eventually

> will branch out to SAP Dev and some internal Web services. Once experience is

> there, will likely replace all external SSL certs within our external Web

> services.

Your original post is kind of confusing. You state that you plan to have 1

physical Enterprise and 3 subordinates, what exactly do you mean by that?

Also what do you mean by "all 4 intermediate and subordinates"?

As far as the above, are you planning on only doing email

signing/encryption internally or will you users be exchanging

signed/encrypted email with others outside of your company? Similar

question for the external SSL certs. Who will be using the external web

sites, employees, external users, or both. If you plan on having

non-employees consume your email or SSL certs then you're going to have

problems as they won't trust your root and therefore won't accept your

certificates issued in that chain.

How many email/external SSL certs are you looking at issuing?

>

> "S. Pidgorny <MVP>" wrote:

>

>> Yes some have virtualised the CAs. Problem being - you have difficulty using

>> HSMs for key storage. If HSM isn't a requirement, you're good to go.

>>

>> At the first glimpse your plan is inconsistent (why use physical Enterprise

>> CA?) and overly complicated (why do you need the three subordinates?).

>>

>> I'm cross-posting this to security groups where PKI matters are discussed a

>> lot.

>>

>> --

>> Svyatoslav Pidgorny, MS MVP - Security, MCSE

>> -= F1 is the key =-

>>

>> http://sl.mvps.org http://msmvps.com/blogs/sp

>>

>> "Sam" <Sam@discussions.microsoft.com> wrote in message

>> news:AF43BA1A-6DB7-4DD3-9BAA-41ADF3639DEE@microsoft.com...

>>>I am in the process of defining the CA architecture needs for my company.

>>>We

>>> are a single forest/domain so pretty simple and basic. Always looking to

>>> reduce capital costs, I was wondering if anyone has virtualized their

>>> entire

>>> CA infrastructure?

>>> My plan was to have a Virtual root, and filing the vmdk files in a safe

>>> location and then having 1 physical Enterprise, and 3 subordinates. I'd

>>> like

>>> to do all 4 intermediate and subordinates as Virtual servers rather than

>>> physical.

>>>

>>> Anyone experience any issues or even tried this?

>>>

>>>

>>

>>

--

Paul Adare

http://www.identit.ca

Variables won't; constants aren't. -- Osborn

May 21, 2008

Sorry for the confusion. My plan is/was to have one enterprise CA

(intermediate) and 3 subordinate issuing servers. My original question asked

if anyone has virtualized (using VMWARE specifically) for their CA

environment.

I would like to have just one Enterprise CA if possible as the less servers

I have to manage the better. For now we will only be using the certificates

internally for email and EFS.

Externally, we have about 10 SSL Certificates all through Verisign and

please note I still have lots to learn about all of this and if issuing our

own SSL certs will cause problems with our Customers, I will keep the Versign

version. The external Certs are used by non-employees and employees.

> Your original post is kind of confusing. You state that you plan to have 1

> physical Enterprise and 3 subordinates, what exactly do you mean by that?

> Also what do you mean by "all 4 intermediate and subordinates"?

>

> As far as the above, are you planning on only doing email

> signing/encryption internally or will you users be exchanging

> signed/encrypted email with others outside of your company? Similar

> question for the external SSL certs. Who will be using the external web

> sites, employees, external users, or both. If you plan on having

> non-employees consume your email or SSL certs then you're going to have

> problems as they won't trust your root and therefore won't accept your

> certificates issued in that chain.

> How many email/external SSL certs are you looking at issuing?

>

> >

> > "S. Pidgorny <MVP>" wrote:

> >

> >> Yes some have virtualised the CAs. Problem being - you have difficulty using

> >> HSMs for key storage. If HSM isn't a requirement, you're good to go.

> >>

> >> At the first glimpse your plan is inconsistent (why use physical Enterprise

> >> CA?) and overly complicated (why do you need the three subordinates?).

> >>

> >> I'm cross-posting this to security groups where PKI matters are discussed a

> >> lot.

> >>

> >> --

> >> Svyatoslav Pidgorny, MS MVP - Security, MCSE

> >> -= F1 is the key =-

> >>

> >> http://sl.mvps.org http://msmvps.com/blogs/sp

> >>

> >> "Sam" <Sam@discussions.microsoft.com> wrote in message

> >> news:AF43BA1A-6DB7-4DD3-9BAA-41ADF3639DEE@microsoft.com...

> >>>I am in the process of defining the CA architecture needs for my company.

> >>>We

> >>> are a single forest/domain so pretty simple and basic. Always looking to

> >>> reduce capital costs, I was wondering if anyone has virtualized their

> >>> entire

> >>> CA infrastructure?

> >>> My plan was to have a Virtual root, and filing the vmdk files in a safe

> >>> location and then having 1 physical Enterprise, and 3 subordinates. I'd

> >>> like

> >>> to do all 4 intermediate and subordinates as Virtual servers rather than

> >>> physical.

> >>>

> >>> Anyone experience any issues or even tried this?

> >>>

> >>

> >>

>

> --

> Paul Adare

> http://www.identit.ca

> Variables won't; constants aren't. -- Osborn

>

May 22, 2008

> Yes some have virtualised the CAs. Problem being - you have difficulty

> using

> HSMs for key storage. If HSM isn't a requirement, you're good to go.

true, but it depends on the type of HSMs you want to use for the CA

--

Cheers,

(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx

BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx

------------------------------------------------------------------------------------------

How to ask a question --> http://support.microsoft.com/?id=555375

------------------------------------------------------------------------------------------

This posting is provided "AS IS" with no warranties and confers no rights!

Always test ANY suggestion in a test environment before implementing!

------------------------------------------------------------------------------------------

#################################################

------------------------------------------------------------------------------------------

"Sam" <Sam@discussions.microsoft.com> wrote in message

news:B9166C87-649A-4A11-8C92-4FDEFB1CCE25@microsoft.com...

> Thanks for the response.

> We have three geographical hubs - Western & Eastern Canada, & US with

> additional plan sites. For fault tolerance, I thought it would be a good

> idea

> to have one in each area.

> I will fully admit though that I do not know very much about CA services

> and

> am learning from reading as much as I can. I fully appreciate any feedback

> you provide.

>

> The enterprise CA - can it provide service to 3000 Users/Computers without

> issues? I would prefer to have only one server to manage. We will

> basically

> be using the service for EFS and some email encryption to start.

> Eventually

> will branch out to SAP Dev and some internal Web services. Once experience

> is

> there, will likely replace all external SSL certs within our external Web

> services.

>

> "S. Pidgorny <MVP>" wrote:

>

>> Yes some have virtualised the CAs. Problem being - you have difficulty

>> using

>> HSMs for key storage. If HSM isn't a requirement, you're good to go.

>>

>> At the first glimpse your plan is inconsistent (why use physical

>> Enterprise

>> CA?) and overly complicated (why do you need the three subordinates?).

>>

>> I'm cross-posting this to security groups where PKI matters are discussed

>> a

>> lot.

>>

>> --

>> Svyatoslav Pidgorny, MS MVP - Security, MCSE

>> -= F1 is the key =-

>>

>> http://sl.mvps.org http://msmvps.com/blogs/sp

>>

>> "Sam" <Sam@discussions.microsoft.com> wrote in message

>> news:AF43BA1A-6DB7-4DD3-9BAA-41ADF3639DEE@microsoft.com...

>> >I am in the process of defining the CA architecture needs for my

>> >company.

>> >We

>> > are a single forest/domain so pretty simple and basic. Always looking

>> > to

>> > reduce capital costs, I was wondering if anyone has virtualized their

>> > entire

>> > CA infrastructure?

>> > My plan was to have a Virtual root, and filing the vmdk files in a safe

>> > location and then having 1 physical Enterprise, and 3 subordinates. I'd

>> > like

>> > to do all 4 intermediate and subordinates as Virtual servers rather

>> > than

>> > physical.

>> >

>> > Anyone experience any issues or even tried this?

>> >

>> >

>>

>>

May 22, 2008

On Thu, 22 May 2008 02:23:30 +0200, Jorge de Almeida Pinto [MVP - DS]

wrote:

>> Yes some have virtualised the CAs. Problem being - you have difficulty

>> using

>> HSMs for key storage. If HSM isn't a requirement, you're good to go.

>

> true, but it depends on the type of HSMs you want to use for the CA

You are obviously limited to network attached HSMs and even then, depending

on the vendor there maybe some limitations. For example if you're using an

nCipher netHSM you can't implement the nToken cards to further secure

communications. Also, one's CPS may prohibit attaching an offline CA to a

network entirely.

--

Paul Adare

http://www.identit.ca

Real programs don't eat cache.

May 22, 2008

On Wed, 21 May 2008 08:16:00 -0700, Sam wrote:

> Sorry for the confusion. My plan is/was to have one enterprise CA

> (intermediate) and 3 subordinate issuing servers.

So to clarify, you plan on implementing:

1 offline root as a standalone CA

1 online policy (intermediate) Enterprise CA

3 online issuing standalone CAs

Is that correct? If so, then given your original scenario you don't really

need 3 tiers, and even if you were to implement 3 tiers the policy or

intermediate tier should also be offline and be a standalone CA, not an

Enterprise CA and your online issuing CAs should be the Enterprise CAs.

> My original question asked

> if anyone has virtualized (using VMWARE specifically) for their CA

> environment.

VMWare is not officially supported for Certificate Services. Virtual Server

2005 R2 SP1 is.

>

> I would like to have just one Enterprise CA if possible as the less servers

> I have to manage the better. For now we will only be using the certificates

> internally for email and EFS.

I don't think you understand the differences between standalone and

Enterprise CAs. You're far better off making your 3 issuing CAs Enterprise

CAs as then you get all of the benefits of being able to manage them as you

would any member server. Standalone CAs are more of a management burden and

provide less functionality.

>

> Externally, we have about 10 SSL Certificates all through Verisign and

> please note I still have lots to learn about all of this and if issuing our

> own SSL certs will cause problems with our Customers, I will keep the Versign

> version. The external Certs are used by non-employees and employees.

The problem with certificates that are issued internally is that no one

outside of your organization will trust your root CA and a PKI is all about

trust. If you use internally issued SSL certs for your external web sites,

everyone who visits your site will receive a warning about the cert being

issued by a CA they don't trust. IF you're only dealing with 10 external

certs then you're better off to keep purchasing these.

--

Paul Adare

http://www.identit.ca

On a clear disk you can seek forever. -- Denning

May 22, 2008

Hi all,

We are using 1 physical ROOT CA, 3 virtual Policy (Intermediate) CAs

and 3 virtual Issuing CAs. We also have installed 1 Safenet LUNA SA

networked HSM for the ROOT CA only and 1 Safenet LUNA SA networked HSM

- Multi partition for the Policy and Issuing CAs.

It is obvious that the ROOT CA & HSM are offline and powered up only

when the CRL needs to be republished or a new Policy CA needs to be

part of the path.

All 3 Policy and 3 Issuing CAs are always powered and used for

certificate issuing.

I do not understand why you would have an Intermediate Enterprise CA

and Issuing Standalone CAs. I would do the contrary. All certificates

that will be issued will come from the Issuing CAs. In order to have

flexibility for the issuance of certificates for AD users and

computers, Enterprise CAs are necessary.

I know that it is possible to have local Enterprise Issuing CAs linked

to a third party WEB Trusted ROOT CA. This would take off the hassle

of installing and maintaining a ROOT CA and Intermediate CAs.

Moreover, the ROOT CA I am mentioning is automatically trusted in IE,

Opera, Safari and soon in Mozilla.

If you think this would be of an interest, I could check and give you

the company name that provides such possibilities..

Regards.

On May 22, 6:42Â am, Paul Adare <pkad...@gmail.com> wrote:

> On Wed, 21 May 2008 08:16:00 -0700, Sam wrote:

> > Sorry for the confusion. My plan is/was to have one enterprise CA

> > (intermediate) and 3 subordinate issuing servers.

>

> So to clarify, you plan on implementing:

>

> 1 offline root as a standalone CA

> 1 online policy (intermediate) Enterprise CA

> 3 online issuing standalone CAs

>

> Is that correct? If so, then given your original scenario you don't really

> need 3 tiers, and even if you were to implement 3 tiers the policy or

> intermediate tier should also be offline and be a standalone CA, not an

> Enterprise CA and your online issuing CAs should be the Enterprise CAs.

>

> > Â My original question asked

> > if anyone has virtualized (using VMWARE specifically) for their CA

> > environment.

>

> VMWare is not officially supported for Certificate Services. Virtual Server

> 2005 R2 SP1 is.

>

>

> > I would like to have just one Enterprise CA if possible as the less servers

> > I have to manage the better. For now we will only be using the certificates

> > internally for email and EFS.

>

> I don't think you understand the differences between standalone and

> Enterprise CAs. You're far better off making your 3 issuing CAs Enterprise

> CAs as then you get all of the benefits of being able to manage them as you

> would any member server. Standalone CAs are more of a management burden and

> provide less functionality.

>

>

> > Externally, we have about 10 SSL Certificates all through Verisign and

> > please note I still have lots to learn about all of this and if issuing our

> > own SSL certs will cause problems with our Customers, I will keep the Versign

> > version. The external Certs are used by non-employees and employees.

>

> The problem with certificates that are issued internally is that no one

> outside of your organization will trust your root CA and a PKI is all about

> trust. If you use internally issued SSL certs for your external web sites,

> everyone who visits your site will receive a warning about the cert being

> issued by a CA they don't trust. IF you're only dealing with 10 external

> certs then you're better off to keep purchasing these.

>

> --

> Paul Adarehttp://www.identit.ca

> On a clear disk you can seek forever. Â -- Denning

May 22, 2008

Thank you for your response and time. I will keep only enterprise CA's and it

is obvious I still have a lot to read and learn before I implement this

environment.

"Paul Adare" wrote:

> On Wed, 21 May 2008 08:16:00 -0700, Sam wrote:

>

> > Sorry for the confusion. My plan is/was to have one enterprise CA

> > (intermediate) and 3 subordinate issuing servers.

>

> So to clarify, you plan on implementing:

>

> 1 offline root as a standalone CA

> 1 online policy (intermediate) Enterprise CA

> 3 online issuing standalone CAs

>

> Is that correct? If so, then given your original scenario you don't really

> need 3 tiers, and even if you were to implement 3 tiers the policy or

> intermediate tier should also be offline and be a standalone CA, not an

> Enterprise CA and your online issuing CAs should be the Enterprise CAs.

>

> > My original question asked

> > if anyone has virtualized (using VMWARE specifically) for their CA

> > environment.

>

> VMWare is not officially supported for Certificate Services. Virtual Server

> 2005 R2 SP1 is.

>

> >

> > I would like to have just one Enterprise CA if possible as the less servers

> > I have to manage the better. For now we will only be using the certificates

> > internally for email and EFS.

>

> I don't think you understand the differences between standalone and

> Enterprise CAs. You're far better off making your 3 issuing CAs Enterprise

> CAs as then you get all of the benefits of being able to manage them as you

> would any member server. Standalone CAs are more of a management burden and

> provide less functionality.

>

> >

> > Externally, we have about 10 SSL Certificates all through Verisign and

> > please note I still have lots to learn about all of this and if issuing our

> > own SSL certs will cause problems with our Customers, I will keep the Versign

> > version. The external Certs are used by non-employees and employees.

>

> The problem with certificates that are issued internally is that no one

> outside of your organization will trust your root CA and a PKI is all about

> trust. If you use internally issued SSL certs for your external web sites,

> everyone who visits your site will receive a warning about the cert being

> issued by a CA they don't trust. IF you're only dealing with 10 external

> certs then you're better off to keep purchasing these.

>

> --

> Paul Adare

> http://www.identit.ca

> On a clear disk you can seek forever. -- Denning

>

May 23, 2008

Depending on your final use of computer and end user certificates,

they need to be trusted when used in a public world.

Either you use an available publically trusted ROOT CA or you will

have to create your own ROOT CA and distribute it to all your

potential partners and clients (nearly impossible to manage in a

medium to large scale).

Regards,

On May 22, 3:17Â pm, Sam <S...@discussions.microsoft.com> wrote:

> Thank you for your response and time. I will keep only enterprise CA's and it

> is obvious I still have a lot to read and learn before I implement this

> environment.

>

> "Paul Adare" wrote:

> > On Wed, 21 May 2008 08:16:00 -0700, Sam wrote:

>

> > > Sorry for the confusion. My plan is/was to have one enterprise CA

> > > (intermediate) and 3 subordinate issuing servers.

>

> > So to clarify, you plan on implementing:

>

> > 1 offline root as a standalone CA

> > 1 online policy (intermediate) Enterprise CA

> > 3 online issuing standalone CAs

>

> > Is that correct? If so, then given your original scenario you don't really

> > need 3 tiers, and even if you were to implement 3 tiers the policy or

> > intermediate tier should also be offline and be a standalone CA, not an

> > Enterprise CA and your online issuing CAs should be the Enterprise CAs.

>

> > > Â My original question asked

> > > if anyone has virtualized (using VMWARE specifically) for their CA

> > > environment.

>

> > VMWare is not officially supported for Certificate Services. Virtual Server

> > 2005 R2 SP1 is.

>

> > > I would like to have just one Enterprise CA if possible as the less servers

> > > I have to manage the better. For now we will only be using the certificates

> > > internally for email and EFS.

>

> > I don't think you understand the differences between standalone and

> > Enterprise CAs. You're far better off making your 3 issuing CAs Enterprise

> > CAs as then you get all of the benefits of being able to manage them as you

> > would any member server. Standalone CAs are more of a management burden and

> > provide less functionality.

>

> > > Externally, we have about 10 SSL Certificates all through Verisign and

> > > please note I still have lots to learn about all of this and if issuing our

> > > own SSL certs will cause problems with our Customers, I will keep the Versign

> > > version. The external Certs are used by non-employees and employees.

>

> > The problem with certificates that are issued internally is that no one

> > outside of your organization will trust your root CA and a PKI is all about

> > trust. If you use internally issued SSL certs for your external web sites,

> > everyone who visits your site will receive a warning about the cert being

> > issued by a CA they don't trust. IF you're only dealing with 10 external

> > certs then you're better off to keep purchasing these.

>

> > --

> > Paul Adare

> >http://www.identit.ca

> > On a clear disk you can seek forever. Â -- Denning- Hide quoted text -

>

> - Show quoted text -

Sign In

Re: Virtualized Certificate Authority Services

Recommended Posts

Guest S. Pidgorny

Popular Days

Popular Days

Guest Sam

Guest Paul Adare

Guest Sam

Guest Jorge de Almeida Pinto [MVP - DS

Guest Paul Adare

Guest Paul Adare

Guest krutz

Guest Sam

Guest krutz

Join the conversation

Browse

Activity

Support