Re: Virtualized Certificate Authority Services

[S. Pidgorny]

Yes some have virtualised the CAs. Problem being - you have difficulty using
HSMs for key storage. If HSM isn't a requirement, you're good to go.

At the first glimpse your plan is inconsistent (why use physical Enterprise
CA?) and overly complicated (why do you need the three subordinates?).

I'm cross-posting this to security groups where PKI matters are discussed a
lot.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *


"Sam" wrote in message
news:AF43BA1A-6DB7-4DD3-9BAA-41ADF3639DEE@microsoft.com...
>I am in the process of defining the CA architecture needs for my company.
>We
> are a single forest/domain so pretty simple and basic. Always looking to
> reduce capital costs, I was wondering if anyone has virtualized their
> entire
> CA infrastructure?
> My plan was to have a Virtual root, and filing the vmdk files in a safe
> location and then having 1 physical Enterprise, and 3 subordinates. I'd
> like
> to do all 4 intermediate and subordinates as Virtual servers rather than
> physical.
>
> Anyone experience any issues or even tried this?
>
>

 

[Sam]

Thanks for the response.
We have three geographical hubs - Western & Eastern Canada, & US with
additional plan sites. For fault tolerance, I thought it would be a good idea
to have one in each area.
I will fully admit though that I do not know very much about CA services and
am learning from reading as much as I can. I fully appreciate any feedback
you provide.

The enterprise CA - can it provide service to 3000 Users/Computers without
issues? I would prefer to have only one server to manage. We will basically
be using the service for EFS and some email encryption to start. Eventually
will branch out to SAP Dev and some internal Web services. Once experience is
there, will likely replace all external SSL certs within our external Web
services.


"S. Pidgorny " wrote:

> Yes some have virtualised the CAs. Problem being - you have difficulty using
> HSMs for key storage. If HSM isn't a requirement, you're good to go.
>
> At the first glimpse your plan is inconsistent (why use physical Enterprise
> CA?) and overly complicated (why do you need the three subordinates?).
>
> I'm cross-posting this to security groups where PKI matters are discussed a
> lot.
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>
>
> "Sam" wrote in message
> news:AF43BA1A-6DB7-4DD3-9BAA-41ADF3639DEE@microsoft.com...
> >I am in the process of defining the CA architecture needs for my company.
> >We
> > are a single forest/domain so pretty simple and basic. Always looking to
> > reduce capital costs, I was wondering if anyone has virtualized their
> > entire
> > CA infrastructure?
> > My plan was to have a Virtual root, and filing the vmdk files in a safe
> > location and then having 1 physical Enterprise, and 3 subordinates. I'd
> > like
> > to do all 4 intermediate and subordinates as Virtual servers rather than
> > physical.
> >
> > Anyone experience any issues or even tried this?
> >
> >
>
>
>

 

[Paul Adare]

On Wed, 21 May 2008 06:28:03 -0700, Sam wrote:

> Thanks for the response.
> We have three geographical hubs - Western & Eastern Canada, & US with
> additional plan sites. For fault tolerance, I thought it would be a good idea
> to have one in each area.
> I will fully admit though that I do not know very much about CA services and
> am learning from reading as much as I can. I fully appreciate any feedback
> you provide.
>
> The enterprise CA - can it provide service to 3000 Users/Computers without
> issues? I would prefer to have only one server to manage. We will basically
> be using the service for EFS and some email encryption to start. Eventually
> will branch out to SAP Dev and some internal Web services. Once experience is
> there, will likely replace all external SSL certs within our external Web
> services.

Your original post is kind of confusing. You state that you plan to have 1
physical Enterprise and 3 subordinates, what exactly do you mean by that?
Also what do you mean by "all 4 intermediate and subordinates"?

As far as the above, are you planning on only doing email
signing/encryption internally or will you users be exchanging
signed/encrypted email with others outside of your company? Similar
question for the external SSL certs. Who will be using the external web
sites, employees, external users, or both. If you plan on having
non-employees consume your email or SSL certs then you're going to have
problems as they won't trust your root and therefore won't accept your
certificates issued in that chain.
How many email/external SSL certs are you looking at issuing?

>
>
> "S. Pidgorny " wrote:
>
>> Yes some have virtualised the CAs. Problem being - you have difficulty using
>> HSMs for key storage. If HSM isn't a requirement, you're good to go.
>>
>> At the first glimpse your plan is inconsistent (why use physical Enterprise
>> CA?) and overly complicated (why do you need the three subordinates?).
>>
>> I'm cross-posting this to security groups where PKI matters are discussed a
>> lot.
>>
>> --
>> Svyatoslav Pidgorny, MS MVP - Security, MCSE
>> -= F1 is the key =-
>>
>> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>>
>>
>> "Sam" wrote in message
>> news:AF43BA1A-6DB7-4DD3-9BAA-41ADF3639DEE@microsoft.com...
>>>I am in the process of defining the CA architecture needs for my company.
>>>We
>>> are a single forest/domain so pretty simple and basic. Always looking to
>>> reduce capital costs, I was wondering if anyone has virtualized their
>>> entire
>>> CA infrastructure?
>>> My plan was to have a Virtual root, and filing the vmdk files in a safe
>>> location and then having 1 physical Enterprise, and 3 subordinates. I'd
>>> like
>>> to do all 4 intermediate and subordinates as Virtual servers rather than
>>> physical.
>>>
>>> Anyone experience any issues or even tried this?
>>>
>>>
>>
>>
>>


--
Paul Adare
http://www.identit.ca
Variables won't constants aren't. -- Osborn

 

[Sam]

Sorry for the confusion. My plan is/was to have one enterprise CA
(intermediate) and 3 subordinate issuing servers. My original question asked
if anyone has virtualized (using VMWARE specifically) for their CA
environment.

I would like to have just one Enterprise CA if possible as the less servers
I have to manage the better. For now we will only be using the certificates
internally for email and EFS.

Externally, we have about 10 SSL Certificates all through Verisign and
please note I still have lots to learn about all of this and if issuing our
own SSL certs will cause problems with our Customers, I will keep the Versign
version. The external Certs are used by non-employees and employees.

> Your original post is kind of confusing. You state that you plan to have 1
> physical Enterprise and 3 subordinates, what exactly do you mean by that?
> Also what do you mean by "all 4 intermediate and subordinates"?
>
> As far as the above, are you planning on only doing email
> signing/encryption internally or will you users be exchanging
> signed/encrypted email with others outside of your company? Similar
> question for the external SSL certs. Who will be using the external web
> sites, employees, external users, or both. If you plan on having
> non-employees consume your email or SSL certs then you're going to have
> problems as they won't trust your root and therefore won't accept your
> certificates issued in that chain.
> How many email/external SSL certs are you looking at issuing?
>
> >
> >
> > "S. Pidgorny " wrote:
> >
> >> Yes some have virtualised the CAs. Problem being - you have difficulty using
> >> HSMs for key storage. If HSM isn't a requirement, you're good to go.
> >>
> >> At the first glimpse your plan is inconsistent (why use physical Enterprise
> >> CA?) and overly complicated (why do you need the three subordinates?).
> >>
> >> I'm cross-posting this to security groups where PKI matters are discussed a
> >> lot.
> >>
> >> --
> >> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> >> -= F1 is the key =-
> >>
> >> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
> >>
> >>
> >> "Sam" wrote in message
> >> news:AF43BA1A-6DB7-4DD3-9BAA-41ADF3639DEE@microsoft.com...
> >>>I am in the process of defining the CA architecture needs for my company.
> >>>We
> >>> are a single forest/domain so pretty simple and basic. Always looking to
> >>> reduce capital costs, I was wondering if anyone has virtualized their
> >>> entire
> >>> CA infrastructure?
> >>> My plan was to have a Virtual root, and filing the vmdk files in a safe
> >>> location and then having 1 physical Enterprise, and 3 subordinates. I'd
> >>> like
> >>> to do all 4 intermediate and subordinates as Virtual servers rather than
> >>> physical.
> >>>
> >>> Anyone experience any issues or even tried this?
> >>>
> >>>
> >>
> >>
> >>
>
>
> --
> Paul Adare
> http://www.identit.ca
> Variables won't constants aren't. -- Osborn
>

 

[Jorge de Almeida Pinto [MVP - DS]

> Yes some have virtualised the CAs. Problem being - you have difficulty
> using
> HSMs for key storage. If HSM isn't a requirement, you're good to go.

true, but it depends on the type of HSMs you want to use for the CA

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Sam" wrote in message
news:B9166C87-649A-4A11-8C92-4FDEFB1CCE25@microsoft.com...
> Thanks for the response.
> We have three geographical hubs - Western & Eastern Canada, & US with
> additional plan sites. For fault tolerance, I thought it would be a good
> idea
> to have one in each area.
> I will fully admit though that I do not know very much about CA services
> and
> am learning from reading as much as I can. I fully appreciate any feedback
> you provide.
>
> The enterprise CA - can it provide service to 3000 Users/Computers without
> issues? I would prefer to have only one server to manage. We will
> basically
> be using the service for EFS and some email encryption to start.
> Eventually
> will branch out to SAP Dev and some internal Web services. Once experience
> is
> there, will likely replace all external SSL certs within our external Web
> services.
>
>
> "S. Pidgorny " wrote:
>
>> Yes some have virtualised the CAs. Problem being - you have difficulty
>> using
>> HSMs for key storage. If HSM isn't a requirement, you're good to go.
>>
>> At the first glimpse your plan is inconsistent (why use physical
>> Enterprise
>> CA?) and overly complicated (why do you need the three subordinates?).
>>
>> I'm cross-posting this to security groups where PKI matters are discussed
>> a
>> lot.
>>
>> --
>> Svyatoslav Pidgorny, MS MVP - Security, MCSE
>> -= F1 is the key =-
>>
>> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>>
>>
>> "Sam" wrote in message
>> news:AF43BA1A-6DB7-4DD3-9BAA-41ADF3639DEE@microsoft.com...
>> >I am in the process of defining the CA architecture needs for my
>> >company.
>> >We
>> > are a single forest/domain so pretty simple and basic. Always looking
>> > to
>> > reduce capital costs, I was wondering if anyone has virtualized their
>> > entire
>> > CA infrastructure?
>> > My plan was to have a Virtual root, and filing the vmdk files in a safe
>> > location and then having 1 physical Enterprise, and 3 subordinates. I'd
>> > like
>> > to do all 4 intermediate and subordinates as Virtual servers rather
>> > than
>> > physical.
>> >
>> > Anyone experience any issues or even tried this?
>> >
>> >
>>
>>
>>

 

[Paul Adare]

On Thu, 22 May 2008 02:23:30 +0200, Jorge de Almeida Pinto [MVP - DS]
wrote:

>> Yes some have virtualised the CAs. Problem being - you have difficulty
>> using
>> HSMs for key storage. If HSM isn't a requirement, you're good to go.
>
> true, but it depends on the type of HSMs you want to use for the CA

You are obviously limited to network attached HSMs and even then, depending
on the vendor there maybe some limitations. For example if you're using an
nCipher netHSM you can't implement the nToken cards to further secure
communications. Also, one's CPS may prohibit attaching an offline CA to a
network entirely.

--
Paul Adare
http://www.identit.ca
Real programs don't eat cache.

 

[Paul Adare]

On Wed, 21 May 2008 08:16:00 -0700, Sam wrote:

> Sorry for the confusion. My plan is/was to have one enterprise CA
> (intermediate) and 3 subordinate issuing servers.

So to clarify, you plan on implementing:

1 offline root as a standalone CA
1 online policy (intermediate) Enterprise CA
3 online issuing standalone CAs

Is that correct? If so, then given your original scenario you don't really
need 3 tiers, and even if you were to implement 3 tiers the policy or
intermediate tier should also be offline and be a standalone CA, not an
Enterprise CA and your online issuing CAs should be the Enterprise CAs.

> My original question asked
> if anyone has virtualized (using VMWARE specifically) for their CA
> environment.

VMWare is not officially supported for Certificate Services. Virtual Server
2005 R2 SP1 is.

>
> I would like to have just one Enterprise CA if possible as the less servers
> I have to manage the better. For now we will only be using the certificates
> internally for email and EFS.

I don't think you understand the differences between standalone and
Enterprise CAs. You're far better off making your 3 issuing CAs Enterprise
CAs as then you get all of the benefits of being able to manage them as you
would any member server. Standalone CAs are more of a management burden and
provide less functionality.

>
> Externally, we have about 10 SSL Certificates all through Verisign and
> please note I still have lots to learn about all of this and if issuing our
> own SSL certs will cause problems with our Customers, I will keep the Versign
> version. The external Certs are used by non-employees and employees.

The problem with certificates that are issued internally is that no one
outside of your organization will trust your root CA and a PKI is all about
trust. If you use internally issued SSL certs for your external web sites,
everyone who visits your site will receive a warning about the cert being
issued by a CA they don't trust. IF you're only dealing with 10 external
certs then you're better off to keep purchasing these.

--
Paul Adare
http://www.identit.ca
On a clear disk you can seek forever. -- Denning

 

[krutz]

Hi all,

We are using 1 physical ROOT CA, 3 virtual Policy (Intermediate) CAs
and 3 virtual Issuing CAs. We also have installed 1 Safenet LUNA SA
networked HSM for the ROOT CA only and 1 Safenet LUNA SA networked HSM
- Multi partition for the Policy and Issuing CAs.

It is obvious that the ROOT CA & HSM are offline and powered up only
when the CRL needs to be republished or a new Policy CA needs to be
part of the path.
All 3 Policy and 3 Issuing CAs are always powered and used for
certificate issuing.

I do not understand why you would have an Intermediate Enterprise CA
and Issuing Standalone CAs. I would do the contrary. All certificates
that will be issued will come from the Issuing CAs. In order to have
flexibility for the issuance of certificates for AD users and
computers, Enterprise CAs are necessary.

I know that it is possible to have local Enterprise Issuing CAs linked
to a third party WEB Trusted ROOT CA. This would take off the hassle
of installing and maintaining a ROOT CA and Intermediate CAs.
Moreover, the ROOT CA I am mentioning is automatically trusted in IE,
Opera, Safari and soon in Mozilla.

If you think this would be of an interest, I could check and give you
the company name that provides such possibilities..
Regards.



On May 22, 6:42 am, Paul Adare wrote:
> On Wed, 21 May 2008 08:16:00 -0700, Sam wrote:
> > Sorry for the confusion. My plan is/was to have one enterprise CA
> > (intermediate) and 3 subordinate issuing servers.
>
> So to clarify, you plan on implementing:
>
> 1 offline root as a standalone CA
> 1 online policy (intermediate) Enterprise CA
> 3 online issuing standalone CAs
>
> Is that correct? If so, then given your original scenario you don't really
> need 3 tiers, and even if you were to implement 3 tiers the policy or
> intermediate tier should also be offline and be a standalone CA, not an
> Enterprise CA and your online issuing CAs should be the Enterprise CAs.
>
> >  My original question asked
> > if anyone has virtualized (using VMWARE specifically) for their CA
> > environment.
>
> VMWare is not officially supported for Certificate Services. Virtual Server
> 2005 R2 SP1 is.
>
>
>
> > I would like to have just one Enterprise CA if possible as the less servers
> > I have to manage the better. For now we will only be using the certificates
> > internally for email and EFS.
>
> I don't think you understand the differences between standalone and
> Enterprise CAs. You're far better off making your 3 issuing CAs Enterprise
> CAs as then you get all of the benefits of being able to manage them as you
> would any member server. Standalone CAs are more of a management burden and
> provide less functionality.
>
>
>
> > Externally, we have about 10 SSL Certificates all through Verisign and
> > please note I still have lots to learn about all of this and if issuing our
> > own SSL certs will cause problems with our Customers, I will keep the Versign
> > version. The external Certs are used by non-employees and employees.
>
> The problem with certificates that are issued internally is that no one
> outside of your organization will trust your root CA and a PKI is all about
> trust. If you use internally issued SSL certs for your external web sites,
> everyone who visits your site will receive a warning about the cert being
> issued by a CA they don't trust. IF you're only dealing with 10 external
> certs then you're better off to keep purchasing these.
>
> --
> Paul Adarehttp://www.identit.ca
> On a clear disk you can seek forever.  -- Denning

 

[Sam]

Thank you for your response and time. I will keep only enterprise CA's and it
is obvious I still have a lot to read and learn before I implement this
environment.

"Paul Adare" wrote:

> On Wed, 21 May 2008 08:16:00 -0700, Sam wrote:
>
> > Sorry for the confusion. My plan is/was to have one enterprise CA
> > (intermediate) and 3 subordinate issuing servers.
>
> So to clarify, you plan on implementing:
>
> 1 offline root as a standalone CA
> 1 online policy (intermediate) Enterprise CA
> 3 online issuing standalone CAs
>
> Is that correct? If so, then given your original scenario you don't really
> need 3 tiers, and even if you were to implement 3 tiers the policy or
> intermediate tier should also be offline and be a standalone CA, not an
> Enterprise CA and your online issuing CAs should be the Enterprise CAs.
>
> > My original question asked
> > if anyone has virtualized (using VMWARE specifically) for their CA
> > environment.
>
> VMWare is not officially supported for Certificate Services. Virtual Server
> 2005 R2 SP1 is.
>
> >
> > I would like to have just one Enterprise CA if possible as the less servers
> > I have to manage the better. For now we will only be using the certificates
> > internally for email and EFS.
>
> I don't think you understand the differences between standalone and
> Enterprise CAs. You're far better off making your 3 issuing CAs Enterprise
> CAs as then you get all of the benefits of being able to manage them as you
> would any member server. Standalone CAs are more of a management burden and
> provide less functionality.
>
> >
> > Externally, we have about 10 SSL Certificates all through Verisign and
> > please note I still have lots to learn about all of this and if issuing our
> > own SSL certs will cause problems with our Customers, I will keep the Versign
> > version. The external Certs are used by non-employees and employees.
>
> The problem with certificates that are issued internally is that no one
> outside of your organization will trust your root CA and a PKI is all about
> trust. If you use internally issued SSL certs for your external web sites,
> everyone who visits your site will receive a warning about the cert being
> issued by a CA they don't trust. IF you're only dealing with 10 external
> certs then you're better off to keep purchasing these.
>
> --
> Paul Adare
> http://www.identit.ca
> On a clear disk you can seek forever. -- Denning
>

 

[krutz]

Depending on your final use of computer and end user certificates,
they need to be trusted when used in a public world.
Either you use an available publically trusted ROOT CA or you will
have to create your own ROOT CA and distribute it to all your
potential partners and clients (nearly impossible to manage in a
medium to large scale).

Regards,



On May 22, 3:17 pm, Sam wrote:
> Thank you for your response and time. I will keep only enterprise CA's and it
> is obvious I still have a lot to read and learn before I implement this
> environment.
>
>
>
> "Paul Adare" wrote:
> > On Wed, 21 May 2008 08:16:00 -0700, Sam wrote:
>
> > > Sorry for the confusion. My plan is/was to have one enterprise CA
> > > (intermediate) and 3 subordinate issuing servers.
>
> > So to clarify, you plan on implementing:
>
> > 1 offline root as a standalone CA
> > 1 online policy (intermediate) Enterprise CA
> > 3 online issuing standalone CAs
>
> > Is that correct? If so, then given your original scenario you don't really
> > need 3 tiers, and even if you were to implement 3 tiers the policy or
> > intermediate tier should also be offline and be a standalone CA, not an
> > Enterprise CA and your online issuing CAs should be the Enterprise CAs.
>
> > >  My original question asked
> > > if anyone has virtualized (using VMWARE specifically) for their CA
> > > environment.
>
> > VMWare is not officially supported for Certificate Services. Virtual Server
> > 2005 R2 SP1 is.
>
> > > I would like to have just one Enterprise CA if possible as the less servers
> > > I have to manage the better. For now we will only be using the certificates
> > > internally for email and EFS.
>
> > I don't think you understand the differences between standalone and
> > Enterprise CAs. You're far better off making your 3 issuing CAs Enterprise
> > CAs as then you get all of the benefits of being able to manage them as you
> > would any member server. Standalone CAs are more of a management burden and
> > provide less functionality.
>
> > > Externally, we have about 10 SSL Certificates all through Verisign and
> > > please note I still have lots to learn about all of this and if issuing our
> > > own SSL certs will cause problems with our Customers, I will keep the Versign
> > > version. The external Certs are used by non-employees and employees.
>
> > The problem with certificates that are issued internally is that no one
> > outside of your organization will trust your root CA and a PKI is all about
> > trust. If you use internally issued SSL certs for your external web sites,
> > everyone who visits your site will receive a warning about the cert being
> > issued by a CA they don't trust. IF you're only dealing with 10 external
> > certs then you're better off to keep purchasing these.
>
> > --
> > Paul Adare
> >http://www.identit.ca
> > On a clear disk you can seek forever.  -- Denning- Hide quoted text -
>
> - Show quoted text -