Re: MS Stand-alone CA on Shared Server?

[gjgowey () tmo blackberry net]

Huge mistake doesn't sum it up properly.  When I worked with openca the way it works is that the public cert for the 
repository, the interface for users to request certs, and the CRL reside on one server connected to the network. 
However, the private key for the ca and the software to sign requests were housed on a separate, non-network connected 
box.  The requests were literally transfered via floppy to the disconnected box to be signed making a ca compromise 
something that would take an insider with physical access to accomplish.  Consider open ca because it has a better 
security model.

Geoff
Sent from my BlackBerry wireless handheld.

-----Original Message-----
From: "Megan Kielman" <megan.kielman () gmail com>

Date: Wed, 15 Aug 2007 07:07:20 
To:security-basics () securityfocus com
Subject: MS Stand-alone CA on Shared Server?


I sent an email out a few days ago and haven't heard a response, not
sure if it didn't get sent or if nobody responded :) I apologize in
advance if this is a duplicate.

I have built a MS Stand-alone CA, as our certificate needs are very
small, this is the only CA in the hierarchy. I have read from several
sources that hosting the CA on a shared server is a bad idea, however,
we do not have enough resources to host the CA on its own server,
especially when it will have low utilization. Can anyone provide me
with assistance in properly hardening this box? Am I making a huge
mistake placing it on the same server that hosts our Operations
Manager (monitoring) Root server? It is currently sitting on an
internal isolated lan.

The risks that I understand are that if the server is renamed, the
issued certificates are no longer valid. Also, it is important that
the CA is protected since if compromised the integrity of our
certificates are lost.
Thanks!