Microsoft Certificate Server virtualization policy

This post has been republished via RSS; it originally appeared at: Core Infrastructure and Security Blog articles.

First published on TECHNET on Aug 09, 2010

If you are unsure regarding the Microsoft Certificate server virtualization policy, just see the Microsoft Virtual Server support policy knowledgebase article at http://support.microsoft.com/kb/897613 .

It is worth to mention that a hardware security module (HSM) is always recommended when operating a certification authority on a virtual Windows Server. The rational behind this recommendation is quite simple: The private keys are a most valuable asset and must be highly protected. Decoupling the storage of the keys from the CA database and its configuration is a smart decision! In case the worst case happens and the virtual CA image gets out of your control, you still haven't lost the private key because it is stored in the HSM.

I always feel very concerned when CA administrators suggest to run offline CAs as virtual machines without an HSM. This is a great money saving opportunity - they tell me … The worst case scenario is burning the virtual machine with no HSM in place on a DVD as a secure backup solution. What if the DVD is lost /duplicated/becoming unreadable? They could loose their entire PKI topology sooner or later.

In summary, a Windows online or offline CA is a good candidate for a virtual environment if you have a reliable Hyper-V setup in place and a the CA keys are stored securely in an HSM.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.