Offline Root CA Maintainance Best Practice Query.

  • Thread starter Thread starter Sukhwinder Singh
  • Start date Start date
S

Sukhwinder Singh

Dear All,

We have two tier CA architecture in our Enviornment. A Offline Root CA and
an online issueing CA. We have kept the Offline Root CA on a VM. The VM is
turned off. But all Servers in our enviornment are patched with latest
security patches. Is it necessary to patch the Root CA Server(offline) ? What
is the best practice for patching and antivirus definition update on offline
Root CA ?
 
There is no "best practices" answer.
I have seen:
1) The offline root CA is fully patched the day before any key ceremony
activities
2) The offline CA only has service packs and Cert Services fixes or related
(DST patch) applied and anti-viru updates
3) The offline CA only has anti-virus update
4) No updates applied but only virus-scanned media is used.
What does your CPS state? That is the authoritiative document
Brian
 
Dear Brian,

Thanks for your reply. What we wanted to know is how it is suggested to
patch the offline Root CA. We have our Root CA in VM and it is offline. Is it
suggested to bring the root CA online once in a month do the patching and
Anti-virus update. We have heard from Microsoft MCS team that some of the
organisations have their Offline Root CA kept in the BAnk lockers so I was
wandering how they patch their server.
It is mandatory from the Organisations security perspective that we have to
Harden all the servers and patch them regularly. I need to have a proper
process in place for the same.

Thanks and Regards,

Sukhwinder Singh
 
Then you must follow your policy.
If you state that the root CA publishes its CRL every 6 months (or whatever
your publication schedule is)
You should be able to add patching as the day prior to CRL publication task,
and perform all patching the day prior to CRL publication.
This is a common process at many of my clients.
They do not bring the root CA up just to apply patches as a separate event.
They do the patching as a preceding event to the CRL publication
Brian
 
How would you perform patching for offline root CA server when it is not joined to any network or domain?
 
Last edited:
Back
Top