• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

HSM implementaiton

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Hardware // Upgrades

View previous topic :: View next topic  
Author Message
technical specialist
Just Arrived
Just Arrived


Joined: 01 Feb 2009
Posts: 0


Offline

PostPosted: Fri Apr 17, 2009 8:49 pm    Post subject: HSM implementaiton Reply with quote

We have a root off line issuing CA, built by a third party. We also have an online issuing CA, that needs to be migrated to and HSM issuing CA.

Q1. Do I have to migrate both off line and online ones?
Q2. Which one should I start with?
Q3. Can I do the migration myself or do I have to refere to the third party?
Q4. What are the risks of the migration?
Back to top
View user's profile Send private message
Fire Ant
Trusted SF Member
Trusted SF Member


Joined: 27 Jun 2008
Posts: 3
Location: London

Offline

PostPosted: Sat Apr 18, 2009 12:40 pm    Post subject: Reply with quote

Quote:
Q1. Do I have to migrate both off line and online ones?

What are your exact business drivers? Which hardware/software do you need to upgrade? If you only need to upgrade the issuing CA then only do that.

Quote:
Q2. Which one should I start with?

First of all, do not destroy any key material or CA configs. Build a new CA from scratch and start with the root if required. If you are only doing the issuing CA then build a new CA and issue it a new certificate from your existing root. This is a common process which every CA will go through.

Does your existing CA use a HSM? Quick note, I wouldn't import key material from your old CA into your new CA. I would generate new key material thus starting a new issuing CA.

Quote:
Q3. Can I do the migration myself or do I have to refere to the third party?


I don't know can you? What is the HSM and CA product being used? What is the support like for the products?

Quote:
Q4. What are the risks of the migration?

The risks, well thats a big question. Does your business rely on validation services such as CRL or OCSP? What would happen if your CA was unavailable.

Remember though that this forum is no substitute for paying a consultant to do it for you. Maybe you should consider doing some formal training on PKI and the products you are working with. Be very careful with everything you do, you business no doubt requires services from your PKI, if you mess it up I can't troubleshoot all your problems. Now with my disclaimer over with.

Good luck,

Matt_s
Back to top
View user's profile Send private message
technical specialist
Just Arrived
Just Arrived


Joined: 01 Feb 2009
Posts: 0


Offline

PostPosted: Mon Apr 20, 2009 11:15 pm    Post subject: Reply with quote

Thank you for the valuable information. My current CA doesn't have an HSM installed. If I built a new CA and issued it a new certificate from the existing root, what is the next step?

Should I do any special configuration or installation to the HSM, prior to building the new CA?

What should I do with the old CA?
Back to top
View user's profile Send private message
Fire Ant
Trusted SF Member
Trusted SF Member


Joined: 27 Jun 2008
Posts: 3
Location: London

Offline

PostPosted: Tue Apr 21, 2009 9:14 am    Post subject: Reply with quote

Quote:
Should I do any special configuration or installation to the HSM
You mean apart from configuring the HSM, binding it to the CA and generating new key material on the HSM?

What make of HSM is it?

Quote:
What should I do with the old CA?
Nothing, leave it working until you can validate your new CA is working. If you are running validation services on this CA then you may have to leave it running until all the certificates issued from it expire.

Matt_s
Back to top
View user's profile Send private message
technical specialist
Just Arrived
Just Arrived


Joined: 01 Feb 2009
Posts: 0


Offline

PostPosted: Tue Apr 21, 2009 4:16 pm    Post subject: Reply with quote

I mean for configuring the HSM, this information should be provided through the vendor, right?

After doing the configuration part, should we bind it to the CA and generate new key material on the HSM?


you mentioned that I should leave the old CA working If I am running validation services on it. then I may have to leave it running until all the certificates issued from it expire, would'nt the migration process take care of this step?

In case the online issuing CA blows up, would having the HSM, help rebuild a new issuing CA?
Back to top
View user's profile Send private message
Fire Ant
Trusted SF Member
Trusted SF Member


Joined: 27 Jun 2008
Posts: 3
Location: London

Offline

PostPosted: Tue Apr 21, 2009 4:47 pm    Post subject: Reply with quote

Quote:
I mean for configuring the HSM, this information should be provided through the vendor, right?
Correct, the vendor should provide some documentation however some of the individual settings such as FIPS etc will be down to you.

Quote:
should we bind it to the CA and generate new key material on the HSM?
Yes, ensure that the CA can connect to the HSM and generate new key material which will form the key in the new certificate.

Quote:
you mentioned that I should leave the old CA working If I am running validation services on it. then I may have to leave it running until all the certificates issued from it expire, would'nt the migration process take care of this step?
This is a tough one, it depends. Which validation services are you running? Normally an OCSP response will be signed with its own certificate and you get into a whole raft of issues migrating that.

Quote:
In case the online issuing CA blows up, would having the HSM, help rebuild a new issuing CA?
No, a backup of your CA will help with that. The role of the HSM is provide secure key storage (either on the HSM itself or in a Security World).

Matt_s
Back to top
View user's profile Send private message
technical specialist
Just Arrived
Just Arrived


Joined: 01 Feb 2009
Posts: 0


Offline

PostPosted: Tue Apr 21, 2009 10:02 pm    Post subject: Reply with quote

So does this mean, that I have to go through the following steps?

1.configure the HSM, accroding the vendor documentation
2.Ask the third party to install the new keys on the HSM
3.install the online CA and bind it with the HSM.[/list]

Beside the above question, when we say migration of the issuing CA, does it mean, keeping the same pair of keys, and migrating them to another online CA. Or issuing new keys and migrating the old CA to a new CA?
Back to top
View user's profile Send private message
Fire Ant
Trusted SF Member
Trusted SF Member


Joined: 27 Jun 2008
Posts: 3
Location: London

Offline

PostPosted: Wed Apr 22, 2009 9:33 am    Post subject: Reply with quote

Quote:
2.Ask the third party to install the new keys on the HSM
Maybe, this depends on the application using the keys.

The term Issuing CA has nothing to do with what actually happens with the keys e..g move them etc. An issuing CA is a CA which issues certificates e.g. an Intermediate CA is an issuing CA and yes I know a root CA issues certs as well but it normally only issues 1 certificate.

Matt_s
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Hardware // Upgrades All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Looking for more Windows Networking info?

Sign up to the WindowsNetworking.com Monthly Newsletter, written by Enterprise Security MVP Deb Shinder, containing news, the hottest tips, Networking links of the month and much more. Subscribe today and don't miss a thing!
View a sample newsletter.

Become a WindowsNetworking.com member!

Discuss your Windows Networking issues with thousands of other Windows Newtorking experts. Click here to join!

Community Area

Log in | Register

Readers' Choice

Which is your preferred data recovery solution?

Follow TechGenix on Twitter