PKI (CA Hierarchy) and Hyper-V pros and cons

PKI (CA Hierarchy) and Hyper-V pros and cons
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
PKI (CA Hierarchy) and Hyper-V pros and cons hypnotix911 03-30-2008
Posted by hypnotix911 on March 30, 2008, 4:09 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Enterprise three-tier CA hierarchy on virtual machines?
Or any part of hierarchy (offline or online CAs )? Is it bad idea?
Any thoughts?
Tnx a lot.



Posted by Dobromir Todorov on March 31, 2008, 10:52 am
If you were  Registered and logged in, you could reply and use other advanced thread options
I don't think it is a bad idea - actually, considering the amount of
computational resources required on a CA, it is probably a good idea to have
all of them on small virtual machines.

The only thing that comes to mind is the fact that the CA private key and
other sensitive information better be stored on HSMs (should they be
supported on VM - which I doubt), or SmartCards (these are supported, if
connected to a USB slot). If the private key or other sensitive info is
stored locally on the VM, considering the fact that the VM is just a file,
then stealing the file is equivalent to breaking phusical security on real
servers.

--
---
HTH,
Dobromir

Learn more about Security and Identity Management:
Visit http://www.iamechanics.com

> Enterprise three-tier CA hierarchy on virtual machines?
> Or any part of hierarchy (offline or online CAs )? Is it bad idea?
> Any thoughts?
> Tnx a lot.
>



Posted by Brian Komar \(MVP\) on March 31, 2008, 10:39 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Only if you use a network attached HSM to protect the CA private keys
Brian

> Enterprise three-tier CA hierarchy on virtual machines?
> Or any part of hierarchy (offline or online CAs )? Is it bad idea?
> Any thoughts?
> Tnx a lot.
>


Posted by hypnotix911 on April 1, 2008, 10:17 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Thank you both,
but what about using bitlocker on VM files?
(we don't have a budget for HSM)




> Enterprise three-tier CA hierarchy on virtual machines?
> Or any part of hierarchy (offline or online CAs )? Is it bad idea?
> Any thoughts?
> Tnx a lot.
>



Posted by Brian Komar \(MVP\) on April 2, 2008, 8:09 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
That does not protect the private keys.
Any body who is local Admin can:
1) Export the CA's private key and certificate
2) Import it into *any* computer they want
3) Issue a certificate that your org trusts and cannot revoke from the CA
console
What type of business are you in. Are you sure that you are making the right
decision.
But, to summarize, BitLocker does not replace a HSM
Brian

> Thank you both,
> but what about using bitlocker on VM files?
> (we don't have a budget for HSM)
>
>
>
>
>> Enterprise three-tier CA hierarchy on virtual machines?
>> Or any part of hierarchy (offline or online CAs )? Is it bad idea?
>> Any thoughts?
>> Tnx a lot.
>>
>
>


Similar ThreadsPosted
What are the pros and cons for placing image on external hard disk? June 28, 2008, 11:22 pm
Easy question on PKI, 2 level hierarchy design December 4, 2006, 12:13 pm

The site map in XML format XML site map

Contact Us | Privacy Policy