Offline Root CA Maintainance Best Practice Query.

  • Thread starter Sukhwinder Singh
  • Start date
S

Sukhwinder Singh

Dear All,

We have two tier CA architecture in our Enviornment. A Offline Root CA and
an online issueing CA. We have kept the Offline Root CA on a VM. The VM is
turned off. But all Servers in our enviornment are patched with latest
security patches. Is it necessary to patch the Root CA Server(offline) ? What
is the best practice for patching and antivirus definition update on offline
Root CA ?
 
B

Brian Komar

There is no "best practices" answer.
I have seen:
1) The offline root CA is fully patched the day before any key ceremony
activities
2) The offline CA only has service packs and Cert Services fixes or related
(DST patch) applied and anti-viru updates
3) The offline CA only has anti-virus update
4) No updates applied but only virus-scanned media is used.
What does your CPS state? That is the authoritiative document
Brian
 
S

Sukhwinder Singh

Dear Brian,

Thanks for your reply. What we wanted to know is how it is suggested to
patch the offline Root CA. We have our Root CA in VM and it is offline. Is it
suggested to bring the root CA online once in a month do the patching and
Anti-virus update. We have heard from Microsoft MCS team that some of the
organisations have their Offline Root CA kept in the BAnk lockers so I was
wandering how they patch their server.
It is mandatory from the Organisations security perspective that we have to
Harden all the servers and patch them regularly. I need to have a proper
process in place for the same.

Thanks and Regards,

Sukhwinder Singh
 
B

Brian Komar

Then you must follow your policy.
If you state that the root CA publishes its CRL every 6 months (or whatever
your publication schedule is)
You should be able to add patching as the day prior to CRL publication task,
and perform all patching the day prior to CRL publication.
This is a common process at many of my clients.
They do not bring the root CA up just to apply patches as a separate event.
They do the patching as a preceding event to the CRL publication
Brian
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Root and Policy CAs - Best Practices for Patches/Updates 1
Recommendations about 2-tier PKI, OIDs and CAPolicy.inf file 2
Best practice on local database Schema update 4
Dynamic Update Best Practice? 2
POSReady 2009 updates ported to Windows XP SP3 (was: Good News - May13th Updates for Windows XP) 14
Symantec AV in an enterprise scenario - architecture best practice advice 1
MS Defender vs MS AntiSpware 16
if (Windows Rules) then (Linux fails) 3

Top