PKI (CA Hierarchy) and Hyper-V pros and cons

H

hypnotix911

Enterprise three-tier CA hierarchy on virtual machines?
Or any part of hierarchy (offline or online CAs )? Is it bad idea?
Any thoughts?
Tnx a lot.
 
D

Dobromir Todorov

I don't think it is a bad idea - actually, considering the amount of
computational resources required on a CA, it is probably a good idea to have
all of them on small virtual machines.

The only thing that comes to mind is the fact that the CA private key and
other sensitive information better be stored on HSMs (should they be
supported on VM - which I doubt), or SmartCards (these are supported, if
connected to a USB slot). If the private key or other sensitive info is
stored locally on the VM, considering the fact that the VM is just a file,
then stealing the file is equivalent to breaking phusical security on real
servers.

--
---
HTH,
Dobromir

Learn more about Security and Identity Management:
Visit http://www.iamechanics.com

"hypnotix911" <hypnotix911@yahoo.com> wrote in message
news:OC9JVIqkIHA.4076@TK2MSFTNGP05.phx.gbl...
> Enterprise three-tier CA hierarchy on virtual machines?
> Or any part of hierarchy (offline or online CAs )? Is it bad idea?
> Any thoughts?
> Tnx a lot.
>
 
B

Brian Komar \(MVP\)

Only if you use a network attached HSM to protect the CA private keys
Brian

"hypnotix911" <hypnotix911@yahoo.com> wrote in message
news:OC9JVIqkIHA.4076@TK2MSFTNGP05.phx.gbl...
> Enterprise three-tier CA hierarchy on virtual machines?
> Or any part of hierarchy (offline or online CAs )? Is it bad idea?
> Any thoughts?
> Tnx a lot.
>
 
H

hypnotix911

Thank you both,
but what about using bitlocker on VM files?
(we don't have a budget for HSM)




"hypnotix911" <hypnotix911@yahoo.com> wrote in message
news:OC9JVIqkIHA.4076@TK2MSFTNGP05.phx.gbl...
> Enterprise three-tier CA hierarchy on virtual machines?
> Or any part of hierarchy (offline or online CAs )? Is it bad idea?
> Any thoughts?
> Tnx a lot.
>
 
B

Brian Komar \(MVP\)

That does not protect the private keys.
Any body who is local Admin can:
1) Export the CA's private key and certificate
2) Import it into *any* computer they want
3) Issue a certificate that your org trusts and cannot revoke from the CA
console
What type of business are you in. Are you sure that you are making the right
decision.
But, to summarize, BitLocker does not replace a HSM
Brian

"hypnotix911" <hypnotix911@yahoo.com> wrote in message
news:O7XW9MAlIHA.5820@TK2MSFTNGP04.phx.gbl...
> Thank you both,
> but what about using bitlocker on VM files?
> (we don't have a budget for HSM)
>
>
>
>
> "hypnotix911" <hypnotix911@yahoo.com> wrote in message
> news:OC9JVIqkIHA.4076@TK2MSFTNGP05.phx.gbl...
>> Enterprise three-tier CA hierarchy on virtual machines?
>> Or any part of hierarchy (offline or online CAs )? Is it bad idea?
>> Any thoughts?
>> Tnx a lot.
>>
>
>
 
You must log in or register to reply here.

Similar threads

A
Hyper-V won't allow me to use locally
Replies
0
Views
33
Adam Stiff
A
L
I'm having trouble collecting performance data from virtual machines and having empty results. what could be the reason / root cause of this issue.
Replies
0
Views
20
Logeshwaran M
L
J
The Future of Windows Server Hyper-V is Bright!
Replies
0
Views
105
Jeff Woolsey
J
A
Issue with Generation 2 Hyper-V machines
Replies
0
Views
72
asem khalil
A
V
How to preview: Azure Arc-connected Hotpatching for Windows Server 2025
Replies
0
Views
45
VishalBajaj
V
Back
Top Bottom