• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 648
  • Last Modified:

Certificate Authority Resilience

My scenario is I need to deploy a Certificate authority to issue Root and User certificates to a PDA.

When the PDAs are built they have software installed to establish a VPN connection. During the installation process on the PDA the VPN software needs to request a root CA and a user CA. These certificates are currently issued by a Standalone Root CA.

My query is if the Standalone Root CA goes off line, (severe hardware failure), the PDA clients wouldnt be able to estblish a VPN connection as the certificates couldnt be validated.

What do I need to do so if the Standalone Root CA does off line, (hardware failure 4 hour response etc), a new PDA client that had previously obtained a root and user CA from the Standalone Root CA can present its certificates to another CA and the certificate be validated.

The VPN setup is irrelevant its more about the CA resilience.

Any advice would be appreciated
  • 2
2 Solutions
PberSolutions ArchitectCommented:
My concern with this setup is that the Root CA is online, period.  Best practice is to never have the root CA touch the network.  You bring it up offline and export the key pairs to removable media and use that create a subordinate CA.  The only other times you bring it up offline is to issue CRLs and to renew subordinate certificates.
The issue with placing the root CA online is if it ever gets compromised, you can never properly revoke a bogus certificate issued from the root on end clients because they trust the root.
The PDA should allow you to manually install a trusted root CA certificate on it and certificates issued from the subordinate should be validated.  Similar to this process: http://www.mobilitysite.com/boards/applications/109323-real-solution-installing-root-certificate-your-pda.html
ParanormasticCryptographic EngineerCommented:
Agreed with pber that you should set up a 2nd tier for an online issuing subordinate and get the root offline.  That being said... regarding your issue I have 2 suggestions:

1) Move the root to a virtual machine (and set up a second VM for the sub CA :) - save the image to removable hard drive (keep the root locked up) - you can then backup and restore to another hard drive in a hardware agnostic way.  Little downtime.

2) Windows server 2008 CA supports clustering - you can do that if its really worth the expense.  2003 did not support clustering.

Also note that the validation of existing certs will be good until the CRL expires - normally this is a week or month.  You should publish a new CRL every 1/2 of the validity period (e.g. every 3-4 days or 2 weeks, etc.) so you have some overlap in case the CA does die out.
ParanormasticCryptographic EngineerCommented:
Both answers are valid, mine was an extension of pber's.  Not to sound egotistical, but while pber was correct in all he said he did not address the core question: "My query is if the Standalone Root CA goes off line, (severe hardware failure), the PDA clients wouldnt be able to estblish a VPN connection as the certificates couldnt be validated."

Yes, the root should be taken offline and a subordinate CA put up - that we both agree on and hopefully this is heeded by frontpedal.  However, the sub CA will have the same productivity risk that was really the main concern.  My answer gave a couple easy and effective solutions that could be applied to the root, but hopefully will be applied to a new subCA instead/as well.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Managed Security Services Webinar - March 15

Selecting the right managed security services platform to grow your business can be a huge undertaking. Join WatchGuard and Frost & Sullivan in an upcoming webinar as we dive into the key elements of selecting a vendor platform and partnership to fuel a successful MSSP business.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now