Share via

Best Practices for Installing Subordinate Certification Authority (SubCA) Services

49885604 215 Reputation points
2024-10-10T13:17:46.6466667+00:00

Hello everyone,

Are there established best practices for deploying a Subordinate Certification Authority (SubCA) on a server? Specifically, is it advisable to install only the Certification Authority service on the SubCA server while hosting other services like NDES, CRL, and OCSP on dedicated servers to ensure security segregation?

In past projects, the SubCA server has typically only run the Certification Authority role and managed the certificate database, while other services are hosted elsewhere.

Kind regards and thanks in advance for any insights!

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Server | User experience | Other
0 comments
Accepted answer
  1. Marcin Policht 50,335 Reputation points MVP Volunteer Moderator
    2024-10-10T13:21:55.7033333+00:00

    Confirmed - there are established best practices for deploying a Subordinate Certification Authority (SubCA), and what you mentioned aligns well with these recommendations. Here are some key considerations:

    1. Isolating the CA Role: It's generally advisable to install only the Certification Authority service on the SubCA server. Keeping the CA role isolated enhances security by reducing the attack surface. The CA should be highly protected, as it holds the private key that signs certificates for other entities.
    2. Segregation of Roles and Services: Hosting other services such as the Network Device Enrollment Service (NDES), Certificate Revocation List (CRL), and Online Certificate Status Protocol (OCSP) on dedicated servers is a common best practice. This segregation allows for:
      • Better security: The critical private key of the CA is isolated from other services, reducing risk.
      • Easier maintenance: Each service can be updated, patched, or managed independently without impacting the CA.
      • Improved availability: Other services can be deployed in a redundant or load-balanced manner to enhance availability, while the SubCA can remain isolated and secure.
    3. Use of a Dedicated CRL Distribution Point (CDP) and OCSP: CRL distribution and OCSP services should be external to the CA server and reachable by clients. These can be hosted on separate web servers or load-balanced environments to handle requests efficiently without affecting the CA’s performance or security.
    4. Security Hardenings:
      • Limit access to the CA server to only necessary administrative accounts.
      • Implement strong network segmentation and firewall rules to restrict access to the CA.
      • Use Hardware Security Modules (HSMs) for key management if possible, especially for highly sensitive environments.

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.