Upload
duongdiep
View
250
Download
5
Embed Size (px)
Citation preview
Root Certificate Authority Backup Considerations
Introduction:
Microsoft Certificate Authority is an Enterprise PKI solution deployed widely across the different SME /
Enterprise Organizations successfully. Microsoft CA support PKI functionality to support Network stack (
DNS / NPS / Wireless / Routing and Remote Access , Smart Card ) , application authentication such as
ADFS , IIS , RMS etc.. and Device Authentication across the networks.
Designing an PKI infrastructure requires careful understanding on an Organization existing business
requirements and assessment of Infrastructure that meets the PKI solution respectively. PKI design
Architect should understand and assess the PKI requirements and identify the potential software /
application components which can participate using Certificates.
Microsoft CA
Network [Wireless,IPS
EC]
Storage[RMS,DFS]
Servers[Server
communcations]
Clients[Client
authentication]
Applications[IIS,CRM,SAP Sharepoint,
etc]
Internal Corporate Network
Organization Challenges:
Most organizations would not consider to have a failover plan for the software Infrastructure servers
such as Microsoft AD / CA etc.. The reasons may be because of Cost or may be because of inexperienced
design decision which leads to catastrophic results when a specific service fails. In this example, we will
consider Microsoft Certificate Authority.
In the event of Certificate Authority Failure, which may be because of Server shutdown abruptly in
DataCenter or may be Hardware Failure or IT Team hasn’t managed their Certificate Authority since
years, this leads to serious authentication issues when those software / applications relies on Microsoft
Certificate Authority
Bad but Workable Design
PKI Infrastructure
Active Directory Infrastructure
Corporate Servers
CorporateExternal
Proxy Server
From the above design which is still workable solution, there is no failover or High availability of the
Certificate Authority which poses risk of system unable to communicate when they try reaching either
Subordinate CA / Root CA.
PKI design Architect should be responsible in doing proper documentation of the infrastructure post
implementation of CA which includes
a) Active directory Forest infrastructure
b) Active Directory Domain infrastructure
c) Existing CA infrastructure
CA and Subordinate / Child CA infrastructure
Certificate Template definition
Data Paths
CRL and AIA information
CSP
CAPolicy.inf file backed up
d) Provisioning of Certificates to Devices
e) Identity Management
f) Network sites and subnet infrastructure
Once you have recorded the above information, Administrators should design backup solution which
describe the backup procedure and the Restore procedures in the event of Microsoft Certificate
Authority failure.
Recommended Design for a Single Site Infrastructure
PKI Infrastructure
Active Directory Infrastructure
Corporate Servers
CorporateExternal
Proxy ServerCRL
CRL
CRL
CRL
Backup Server
Backup Procedure
For backing up the Certificate Authority and Restoring , follow the below links
http://technet.microsoft.com/en-us/library/cc725565.aspx - Backup
http://technet.microsoft.com/en-us/library/cc753374.aspx - Restore
Infrastructure Solution Tips:
1. One of the Industry Expert written book advises that System State backup can be used
to backup the private keys of CA , but Microsoft has confirmed that System State Backup
will not store Private Keys
2. In the event of CA failure and did not have a backup of the CA, Administrators has to
remove CA entries from Active Directory Domain. This will / may affect the existing
connection , because clients relies on Distribution points and validate the CRL and
checks for “Next Update” , till then the certificate works.
But in the event of decommissioning the CA, any communications will fail.
3. In the event of Root CA failure without no backup , the only recommendation is to build
PKI from scratch.
Note: Subordinate Root CA cannot be upgraded to Root CA.