PKI (CA Hierarchy) and Hyper-V pros and cons

  • Thread starter Thread starter hypnotix911
  • Start date Start date
H

hypnotix911

Enterprise three-tier CA hierarchy on virtual machines?
Or any part of hierarchy (offline or online CAs )? Is it bad idea?
Any thoughts?
Tnx a lot.
 
I don't think it is a bad idea - actually, considering the amount of
computational resources required on a CA, it is probably a good idea to have
all of them on small virtual machines.

The only thing that comes to mind is the fact that the CA private key and
other sensitive information better be stored on HSMs (should they be
supported on VM - which I doubt), or SmartCards (these are supported, if
connected to a USB slot). If the private key or other sensitive info is
stored locally on the VM, considering the fact that the VM is just a file,
then stealing the file is equivalent to breaking phusical security on real
servers.

--
---
HTH,
Dobromir

Learn more about Security and Identity Management:
Visit http://www.iamechanics.com

"hypnotix911" wrote in message
news:OC9JVIqkIHA.4076@TK2MSFTNGP05.phx.gbl...
> Enterprise three-tier CA hierarchy on virtual machines?
> Or any part of hierarchy (offline or online CAs )? Is it bad idea?
> Any thoughts?
> Tnx a lot.
>
 
Only if you use a network attached HSM to protect the CA private keys
Brian

"hypnotix911" wrote in message
news:OC9JVIqkIHA.4076@TK2MSFTNGP05.phx.gbl...
> Enterprise three-tier CA hierarchy on virtual machines?
> Or any part of hierarchy (offline or online CAs )? Is it bad idea?
> Any thoughts?
> Tnx a lot.
>
 
Thank you both,
but what about using bitlocker on VM files?
(we don't have a budget for HSM)




"hypnotix911" wrote in message
news:OC9JVIqkIHA.4076@TK2MSFTNGP05.phx.gbl...
> Enterprise three-tier CA hierarchy on virtual machines?
> Or any part of hierarchy (offline or online CAs )? Is it bad idea?
> Any thoughts?
> Tnx a lot.
>
 
That does not protect the private keys.
Any body who is local Admin can:
1) Export the CA's private key and certificate
2) Import it into *any* computer they want
3) Issue a certificate that your org trusts and cannot revoke from the CA
console
What type of business are you in. Are you sure that you are making the right
decision.
But, to summarize, BitLocker does not replace a HSM
Brian

"hypnotix911" wrote in message
news:O7XW9MAlIHA.5820@TK2MSFTNGP04.phx.gbl...
> Thank you both,
> but what about using bitlocker on VM files?
> (we don't have a budget for HSM)
>
>
>
>
> "hypnotix911" wrote in message
> news:OC9JVIqkIHA.4076@TK2MSFTNGP05.phx.gbl...
>> Enterprise three-tier CA hierarchy on virtual machines?
>> Or any part of hierarchy (offline or online CAs )? Is it bad idea?
>> Any thoughts?
>> Tnx a lot.
>>
>
>
 
Back
Top