Blog Post

Core Infrastructure and Security Blog
1 MIN READ

Microsoft Certificate Server virtualization policy

MS2065's avatar
MS2065
Icon for Microsoft rankMicrosoft
Jan 24, 2020

First published on TECHNET on Aug 09, 2010

If you are unsure regarding the Microsoft Certificate server virtualization policy, just see the Microsoft Virtual Server support policy knowledgebase article at http://support.microsoft.com/kb/897613 .

It is worth to mention that a hardware security module (HSM) is always recommended when operating a certification authority on a virtual Windows Server. The rational behind this recommendation is quite simple: The private keys are a most valuable asset and must be highly protected. Decoupling the storage of the keys from the CA database and its configuration is a smart decision! In case the worst case happens and the virtual CA image gets out of your control, you still haven't lost the private key because it is stored in the HSM.

I always feel very concerned when CA administrators suggest to run offline CAs as virtual machines without an HSM. This is a great money saving opportunity - they tell me … The worst case scenario is burning the virtual machine with no HSM in place on a DVD as a secure backup solution. What if the DVD is lost /duplicated/becoming unreadable? They could loose their entire PKI topology sooner or later.

In summary, a Windows online or offline CA is a good candidate for a virtual environment if you have a reliable Hyper-V setup in place and a the CA keys are stored securely in an HSM.

Updated Feb 21, 2020
Version 3.0