none
Offline Enterprise Root CA utilising a HSM RRS feed

  • Question

  • An Offline Enterprise Root CA is usually frowned upon in PKI circles but this is the case with Root CAs installed on servers with their private key material. Standalone Root CAs not attached to a network are preferable but what about if your private key material for the Root CA is stored on an external network attached HSM where the partition is deactivated?

    The presence of the network HSM means the Root CA needs to be attached to the network to access its private key which in turn counters the fact that a standalone Root CA server should never be attached to a network.

    Does this mean that an Enterprise Root CA is ok in this situation or would it still be frowned upon?

    Wednesday, October 22, 2014 3:46 AM

Answers

  • If an offline CA uses a network HSM, the network is typically a private network which is just shared by the HSM and the CA. This private network should not be connected to the internal / 'AD' / 'office IT' network.

    'Enterprise' means AD-integrated (not only attached to a network) and this does not make sense for such a CA: The CA should not be available on the corporate network and communicate with DCs, so it cannot update its computer password and you cannot utilize templates. But of course you could also use a HSM with your online subordinate enterprise CAs. But if these use HSMs, the HSMs should also not be on the standard network but again connected to the CA via a second NIC and a private network segment.

    Elke

    • Edited by Elke Stangl Wednesday, October 22, 2014 6:09 AM
    • Marked as answer by Paliente Wednesday, October 22, 2014 10:42 PM
    Wednesday, October 22, 2014 6:08 AM

All replies

  • If an offline CA uses a network HSM, the network is typically a private network which is just shared by the HSM and the CA. This private network should not be connected to the internal / 'AD' / 'office IT' network.

    'Enterprise' means AD-integrated (not only attached to a network) and this does not make sense for such a CA: The CA should not be available on the corporate network and communicate with DCs, so it cannot update its computer password and you cannot utilize templates. But of course you could also use a HSM with your online subordinate enterprise CAs. But if these use HSMs, the HSMs should also not be on the standard network but again connected to the CA via a second NIC and a private network segment.

    Elke

    • Edited by Elke Stangl Wednesday, October 22, 2014 6:09 AM
    • Marked as answer by Paliente Wednesday, October 22, 2014 10:42 PM
    Wednesday, October 22, 2014 6:08 AM
  • Sorry to dig up an old thread.

    My understanding would be that a root CA should ideally be offline, or at least only connected to a secure separate network.  There is always a risk that networks may be bridged, or more likely miss-configured, such that a root CA becomes unintentionally connected to the wider network.

    Arguably, a physically secure offline root CA would be sufficient when supported by suitably designed access and backup procedures.  But the best approach, if necessary and/or affordable, would be to implement an HSM for private key storage.  For an offline root CA, that could be a USB HSM removing the need for a network connection.  An HSM provides a certifiable capability to provide the necessary protection for private keys of value.

    But let's not forget the online issuing CA private keys.  These should ideally be protected by a network attached HSM to facilitate key secure key storage and automatic issuing/signing.

    Thursday, May 24, 2018 2:02 PM
  • The Offline Root CA discussion always takes an interesting turn if the plan is to host the CA on a VM, introducing other concerns to contend with, to ensure that "physically secure" can be enforced, something which can be a contradiction of sorts with virtualization/VMs, thereby requiring some other form of remediation.

    If the hypervisor doesn't support USB then a network-based HSM on a private network might be the only way to go to store keys; encryption, CA etc. off-base.


    http://blog.auth360.net

    Thursday, May 24, 2018 9:39 PM