I must install a PKI in my organization. I work in a windows environment. I already set an offline CA. I must now install a subordinate CA. I have the choice between installing the subordinate CA on a domain controller or on a server running other services (WSUS, ...). I would like to know from a security standpoint what's my best option and why?
Asked
Active
Viewed 2,003 times
5
-
1Are you running a virtual infrastructure? If so the best idea is to use a completely separate machine for your PKI sub-CAs. – Craine Dec 27 '14 at 15:04
-
I understand that the best option is to use a separate server, however in my case this is not feasible. – OBOF Dec 27 '14 at 15:15
-
1*Lots* of recommendations for Windows CA although not this specific point AFAICS at http://security.stackexchange.com/questions/15532/checklist-on-building-an-offline-root-intermediate-certificate-authority-ca . – dave_thompson_085 Dec 28 '14 at 14:29
1 Answers
1
The simple answer, ignoring any operational constraints?
Situation One: If the CA's security is (1) ROUGHLY AS important for security as the domain controller (2) you have enough spare capacity and (3) you don't need to reduce security for the DC by giving anyone special access to the CA or changing firewall rules as a result, then just run it on the domain controller because:
- Presumably not too many people have access to the DC and it's well secured anyway.
- The CA will normally be dependent on the DCs security anyway, so if the DC gets hacked it's game-over for the CA.
Situation Two: it's LESS important than the CA. It's for convenience somewhere, or testing and the certificates aren't critical for your security. Then run it on a separate server. Because:
- You won't undermine the security of the domain controller with the extra complexity (running extra code always increases the security risk - in the jargon "it increases the attack surface").
- You can give peoples access to manage the server without having to give them rights to the domain controller.
Situation Three: It's WAY more important than the DC security. For example, you are running a commercial CA.
- Use as much segregation and monitoring as possible. Probably a separate domain entirely.
- Get some security professionals in!
JCx
- 480
- 2
- 6