Specify CA certificate access points in issued certificates. Configure the offline root certification authority to support certificate revocation with Active Directory. Configure an offline root certification authority to support certificate revocation with Active Directory.
On the root certification authority, publish the certificate revocation list. Manually publish the certificate revocation list. Retrieve the certification authority's certificate and save it to a drive that has portable storage media.
Retrieve a certification authority certificate. Copy the CA certificate file to every URL location that you specified as an authority information access distribution point in the root CA's policy settings. Set up a server running Windows to use for the subordinate certification authority.
Install subordinate certification authorities, as required by your planned certification hierarchy. These can be stand-alone certification authorities or, if you are using Active Directory, enterprise certification authorities. Install a stand-alone subordinate certification authority ; Install an enterprise subordinate certification authority.
Copy the CA certificate request file from the subordinate certification authority to some portable storage media. Take the CA certificate request to the root certification authority. Using the Certificates Microsoft Management Console MMC on the offline CA, submit the certificate request requestfilename to the CA and copy the new certificate newcertname to the portable storage media.
Manage certificates for a computer. Take the portable storage media back to the subordinate certification authority. In Windows Explorer, locate the certificate and certification path files you just copied, then right-click each file and choose Install Certificate. We also use third-party cookies that help us analyze and understand how you use this website.
These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience. Necessary Necessary. Now that we have secure media in which to store our Offline Root CA operating system backups we can take the first backup.
Open Server Manager. This can be done by entering the following command in an Administrative PowerShell prompt. If you receive a warning that the selected volume is also included in the list of items to back up you should exclude the volume by clicking OK. The Windows Server Backup wizard will run. Ensure the backup Status is Completed and there are no errors.
During the process of this guide we should have four PDFs created that contain the recovery codes for our BitLocked storage media. We should have:. If you have a different method to securely store these PDFs you may consider that an option.
Depending on your application used to read the PDFs you may want to clear any local cached data to prevent anyone from being able to read or recover the PDFs holding the recovery keys. You may also forego digital storage of these backup keys entirely.
In such a case the information from the PDFs can be written down manually do not print them and verified. Two copies of the document should be created and stored in seperate secure locations. We would now want to discuss the basic plan for how work on the Offline Root CA would actually be performed. With more engineering staff available the process of interacting with the Offline Root CA can be made more secure by removing the ability for any one person to have full control over the processes required to interact with the Offline Root CA.
For example you could follow the same process as listed above but require Engineer A to only check out the BIOS boot password and allowing Engineer B to only check out the BitLocker OS Drive password while forbidding either from ever being able to check out the other credentials. Delegating credentials this way would require both engineers to work in tandem with approval from a third party that manages the physical access to the devices.
This also creates a situation where no one person ever works alone on the Offline Root CA, making it much harder for a single rouge employee to compromise the PKI. Your email address will not be published. Save my name, email, and website in this browser for the next time I comment. While we will be taking backups regardless of the hardware, if you can afford the expense it makes sense to use real server hardware, specifically for usage with enterprise RAID storage solutions.
Booting up your Root CA to realize a single bad disk means you need to restore from backup is not a fun time. Remember, offline means offline. By definition there can be no external monitoring of the Offline Root CA and no chance to catch hardware failures aside from physically checking. We want the Offline Root CA to have security features. For many even the cheaper local HSMs will be cost prohibitive. While we are not going to use a Hardware Key Storage Provider for this guide enterprise grade PKI should seriously consider hardware level key protection.
We want the Offline Root CA to be physically secured. The Offline Root CA must be physically secured before all else. While physical controls are outside of the scope of this guide you should consider who will receive physical access to the Offline Root CA, how they will get that access, and secure storage of credentials required to access the Offline Root CA.
The scope of work the Offline Root CA is going to be doing is very specific. We do not need excessive RAM, processing power, disk speed, or disk capacity. It is important that the device not be networked, ever.
We want to eliminate every possible attack vector to the device. This includes any network connectivity, ever. While this does add some tedium to the deployment process you can rest easy knowing your Offline Root CA is secured. Don't subscribe All Replies to my comments Notify me of followup comments via e-mail.
You can also subscribe without commenting. I will configure the following settings: Renewalinformation for the CA certificate. The validity period for the base CRL. Disable the AlternateSignatureAlgorithm more info on why can be found here. Disable the DefaultTemplates, these are not used because this is an offline CA.
The setup of the Offline RootCA is now completed. Next: Subordinate CA Server. Leave a Reply Cancel reply Your email address will not be published. This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Reject Read More. Close Privacy Overview This website uses cookies to improve your experience while you navigate through the website.
Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website.
0コメント