PKI patching best practices

Hello Experts,

One of my customers is facing a challenge with their security team who is pushing them to patch all PKI servers in a monthly basis.

The IT department is looking for some sort of documentation on best practices to patch PKI servers[Root Offline, Enteprise sub CAs, NDES, OCSP, and web servers holding the CDP locations].

The idea is to push back their requirements, and come with an agreement to patch each PKI server role only when is really required or a few times a year without compromising the integrity of the infrastructure and security.

What are best practices to patch PKI servers per role?

What is the impact if one of the servers becomes available after patching?  Please, elaborate your answer

Is there a business case or doc that can be used a justification to push back this requirement?

Please, provide as much information as you can per server role and service impact

Jerry SeinfieldAsked:
Who is Participating?
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
I agree with the security team.

Patch and reboot each month. If you're worried about availability, us multiple issuing servers and multiple distribution points. (but in reality almost nothing actually checks the CRL or OCSP and fails closed so that's probably not a big deal on that side)
I have to agree with Jeremy and the security team as well.

I don't have anything readily to refer you to though.  The one machine which I wouldn't feel so bad about not patching as often is the root CA if it is a standalone root and kept offline.
PberSolutions ArchitectCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

-- Jeremy Weisinger (https:#a42378812)
-- footech (https:#a42379098)

If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

Experts-Exchange Cleanup Volunteer
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.