PKI patching best practices

Hello Experts,

One of my customers is facing a challenge with their security team who is pushing them to patch all PKI servers in a monthly basis.

The IT department is looking for some sort of documentation on best practices to patch PKI servers[Root Offline, Enteprise sub CAs, NDES, OCSP, and web servers holding the CDP locations].

The idea is to push back their requirements, and come with an agreement to patch each PKI server role only when is really required or a few times a year without compromising the integrity of the infrastructure and security.

What are best practices to patch PKI servers per role?

What is the impact if one of the servers becomes available after patching?  Please, elaborate your answer

Is there a business case or doc that can be used a justification to push back this requirement?

Please, provide as much information as you can per server role and service impact

Jerry SeinfieldAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jeremy WeisingerSenior Network Consultant / EngineerCommented:
I agree with the security team.

Patch and reboot each month. If you're worried about availability, us multiple issuing servers and multiple distribution points. (but in reality almost nothing actually checks the CRL or OCSP and fails closed so that's probably not a big deal on that side)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
I have to agree with Jeremy and the security team as well.

I don't have anything readily to refer you to though.  The one machine which I wouldn't feel so bad about not patching as often is the root CA if it is a standalone root and kept offline.
PberSolutions ArchitectCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

-- Jeremy Weisinger (https:#a42378812)
-- footech (https:#a42379098)

If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

Experts-Exchange Cleanup Volunteer
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Public Key Infrastructure (PKI)

From novice to tech pro — start learning today.