PKI Implementation

%3CLINGO-SUB%20id%3D%22lingo-sub-289623%22%20slang%3D%22en-US%22%3EPKI%20Implementation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-289623%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EI'm%20implementing%20a%20two%20tier%2C%20offline%20Root%20CA%2C%20PKI%20for%20a%20small%20client%20with%20need%20for%20some%20%22proper%22%20security.%20Since%20it%20is%20a%20small%20business%2C%20I'm%20trying%20to%20reduce%20server%20count%20to%20keep%20maintenance%20and%20licensing%20costs%20down.%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3E%20So%20I'm%20wondering%20what%20else%20would%20be%20reasonable%20to%20run%20on%20the%20same%20VM%20as%20the%20Enterprise%20CA.%3C%2FSPAN%3E%3CBR%20%2F%3E%20%3CSPAN%3ESince%20I%20am%20also%20going%20to%20implement%20AAD%20Connect%2C%20are%20there%20any%20issues%2Frisks%20associated%20with%20running%20AAD%20Connect%20and%20the%20Enterprise%20CA%20on%20the%20same%20server%3F%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3E%20Any%20other%20thoughts%20or%20ideas%3F%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3E%20Thanks%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-289623%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-297252%22%20slang%3D%22en-US%22%3ERe%3A%20PKI%20Implementation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-297252%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20the%20customer%20has%20a%20small%20team%20and%20is%20not%20very%20process%20orientated%20it%20may%20make%20sense%20to%20dis%20regard%20the%20%22offline%22%20RootCA.%20This%20may%20seem%20counter%20intuitive%20but%20it%20requires%20additional%20disciplined%20processes%20for%20management%20and%20maintenance%20and%20it's%20value%20is%20limited%20unless%20it%20is%20genuinely%20offline%20and%20is%20never%20connected%20to%20a%20network.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-290630%22%20slang%3D%22en-US%22%3ERe%3A%20PKI%20Implementation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-290630%22%20slang%3D%22en-US%22%3E%3CP%3EIMO%2C%20I%20will%20keep%20Certificate%20servers%20always%20separately%20from%20other%20roles%20while%20you%20also%20have%20to%20think%20how%20to%20publish%20CRL%20list%20for%20example%20to%20Internet%20if%20there%20is%20a%20need.%20Secondly%20if%20something%20happens%20there%20is%20a%20risk%20how%20the%20renew%20all%20certificates%20in%20the%20client%20side%20where%20the%20users%20interuption%20shows%20a%20major%20thing%20if%20they%20cannot%20for%20example%20sign%20in%20to%20Network%20while%20the%20IEEE802.1x%20does%20not%20work.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPetri%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
MVP

I'm implementing a two tier, offline Root CA, PKI for a small client with need for some "proper" security. Since it is a small business, I'm trying to reduce server count to keep maintenance and licensing costs down.
So I'm wondering what else would be reasonable to run on the same VM as the Enterprise CA.
Since I am also going to implement AAD Connect, are there any issues/risks associated with running AAD Connect and the Enterprise CA on the same server?
Any other thoughts or ideas?
Thanks

2 Replies

IMO, I will keep Certificate servers always separately from other roles while you also have to think how to publish CRL list for example to Internet if there is a need. Secondly if something happens there is a risk how the renew all certificates in the client side where the users interuption shows a major thing if they cannot for example sign in to Network while the IEEE802.1x does not work.

 

Petri

 

If the customer has a small team and is not very process orientated it may make sense to dis regard the "offline" RootCA. This may seem counter intuitive but it requires additional disciplined processes for management and maintenance and it's value is limited unless it is genuinely offline and is never connected to a network.