One of my customers is facing a challenge with their security team who is pushing them to patch all PKI servers in a monthly basis.
The IT department is looking for some sort of documentation on best practices to patch PKI servers[Root Offline, Enteprise sub CAs, NDES, OCSP, and web servers holding the CDP locations].
The idea is to push back their requirements, and come with an agreement to patch each PKI server role only when is really required or a few times a year without compromising the integrity of the infrastructure and security.
What are best practices to patch PKI servers per role?
What is the impact if one of the servers becomes available after patching? Please, elaborate your answer
Is there a business case or doc that can be used a justification to push back this requirement?
Please, provide as much information as you can per server role and service impact