Offline CA Maintenance Tasks

Offline CA Maintenance Tasks

The tasks can be summarized in four steps assuming you followed the steps in your key signing ceremony to retrieve the CA.

  1. Issue a new Certificate Revocation List (CRL) and publish it to the configured Offline Certification Authority distribution points.

  2. Apply major release updates to the offline Certification Authority – such as service packs – take into consideration that you don’t need to apply any security updates because the Offline Certification Authority should never be  connected to the network.

  3. Take a new CA backup and save it to a location outlined in your key signing ceremony.

  4. Power off the Offline Certification Authority  and follow the steps in the key signing ceremony to secure the CA.

The steps above assume you followed the security best practices when building an offline CA.

Sort by: Published Date | Most Recent | Most Useful
Comments
  • > you don’t need to apply any security updates because the Offline Certification Authority should never be  connected to the network

    Considering that Stuxnet and Flame were likely delivered by USB, CD, or other media I'm sure that this advice is invalid.  I would suggest purchasing a new USB stick / Floppy, using it once for the reKey / backup and destroy it afterward.  Once that media *touches* less secure devices it should be considered tainted.

  • Major release updates are service packs which MUST be installed to maintain operating system support

Page 1 of 1 (2 items)