Certificate Authority Resilience

My scenario is I need to deploy a Certificate authority to issue Root and User certificates to a PDA.

When the PDAs are built they have software installed to establish a VPN connection. During the installation process on the PDA the VPN software needs to request a root CA and a user CA. These certificates are currently issued by a Standalone Root CA.

My query is if the Standalone Root CA goes off line, (severe hardware failure), the PDA clients wouldnt be able to estblish a VPN connection as the certificates couldnt be validated.

What do I need to do so if the Standalone Root CA does off line, (hardware failure 4 hour response etc), a new PDA client that had previously obtained a root and user CA from the Standalone Root CA can present its certificates to another CA and the certificate be validated.

The VPN setup is irrelevant its more about the CA resilience.

Any advice would be appreciated
frontpedalAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

PberSolutions ArchitectCommented:
My concern with this setup is that the Root CA is online, period.  Best practice is to never have the root CA touch the network.  You bring it up offline and export the key pairs to removable media and use that create a subordinate CA.  The only other times you bring it up offline is to issue CRLs and to renew subordinate certificates.
The issue with placing the root CA online is if it ever gets compromised, you can never properly revoke a bogus certificate issued from the root on end clients because they trust the root.
The PDA should allow you to manually install a trusted root CA certificate on it and certificates issued from the subordinate should be validated.  Similar to this process: http://www.mobilitysite.com/boards/applications/109323-real-solution-installing-root-certificate-your-pda.html
 
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ParanormasticCryptographic EngineerCommented:
Agreed with pber that you should set up a 2nd tier for an online issuing subordinate and get the root offline.  That being said... regarding your issue I have 2 suggestions:

1) Move the root to a virtual machine (and set up a second VM for the sub CA :) - save the image to removable hard drive (keep the root locked up) - you can then backup and restore to another hard drive in a hardware agnostic way.  Little downtime.

2) Windows server 2008 CA supports clustering - you can do that if its really worth the expense.  2003 did not support clustering.

Also note that the validation of existing certs will be good until the CRL expires - normally this is a week or month.  You should publish a new CRL every 1/2 of the validity period (e.g. every 3-4 days or 2 weeks, etc.) so you have some overlap in case the CA does die out.
0
ParanormasticCryptographic EngineerCommented:
Both answers are valid, mine was an extension of pber's.  Not to sound egotistical, but while pber was correct in all he said he did not address the core question: "My query is if the Standalone Root CA goes off line, (severe hardware failure), the PDA clients wouldnt be able to estblish a VPN connection as the certificates couldnt be validated."

Yes, the root should be taken offline and a subordinate CA put up - that we both agree on and hopefully this is heeded by frontpedal.  However, the sub CA will have the same productivity risk that was really the main concern.  My answer gave a couple easy and effective solutions that could be applied to the root, but hopefully will be applied to a new subCA instead/as well.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.