Confirmed - there are established best practices for deploying a Subordinate Certification Authority (SubCA), and what you mentioned aligns well with these recommendations. Here are some key considerations:
- Isolating the CA Role: It's generally advisable to install only the Certification Authority service on the SubCA server. Keeping the CA role isolated enhances security by reducing the attack surface. The CA should be highly protected, as it holds the private key that signs certificates for other entities.
- Segregation of Roles and Services: Hosting other services such as the Network Device Enrollment Service (NDES), Certificate Revocation List (CRL), and Online Certificate Status Protocol (OCSP) on dedicated servers is a common best practice. This segregation allows for:
- Better security: The critical private key of the CA is isolated from other services, reducing risk.
- Easier maintenance: Each service can be updated, patched, or managed independently without impacting the CA.
- Improved availability: Other services can be deployed in a redundant or load-balanced manner to enhance availability, while the SubCA can remain isolated and secure.
- Use of a Dedicated CRL Distribution Point (CDP) and OCSP: CRL distribution and OCSP services should be external to the CA server and reachable by clients. These can be hosted on separate web servers or load-balanced environments to handle requests efficiently without affecting the CA’s performance or security.
- Security Hardenings:
- Limit access to the CA server to only necessary administrative accounts.
- Implement strong network segmentation and firewall rules to restrict access to the CA.
- Use Hardware Security Modules (HSMs) for key management if possible, especially for highly sensitive environments.
If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.
hth
Marcin