To harden your CAs, perform thorough security audits regularly—particularly before and after making any major changes to your CAs. As you conduct such audits, watch for anything that could potentially affect your CAs’ integrity. For example, you should check to make sure that no unauthorized person has been granted permissions to change a root-level CA linked to a subordinate CA. (If you’ve implemented auditing, this information will appear in the Security log.)
You can also help secure your CAs if you remember that the more code you have on a system, the more likely it is that someone will exploit that code. Make sure that no one installs applications on your CA servers, and disable any unused services—especially any Microsoft IIS services—that you don’t use. Also, configure your security policies to specifically deny access to your CAs to everyone who doesn’t require it.
Backing Up Your Certificate Databases
By far the most important way to protect your CAs is to guard your certificate databases against failure. Safeguarding these databases is particularly important because if something were to happen to your server’s certificate databases, you’d have to create a new CA database and reissue existing certificates.
Your first step in guarding your CA against failure is to back up the CA database regularly. (At a minimum, backups should be performed daily.) The certificates are stored in a Jet database format similar to the format that Microsoft Exchange Server uses. Although you can use several methods to back up your certificate databases, I recommend that you use the Certification Authority Backup Wizard, which Figure 1 shows. In addition to backing up the CA database, the wizard backs up the private key associated with the CA.
To back up the certificate databases, open the Microsoft Management Console (MMC) Certification Authority snap-in and navigate through the console tree to the server that you want to back up. Next, right-click the server and select All Tasks, Backup CA from the resulting context menus. On the wizard’s introductory screen, click Next to move to the Items to Back Up dialog box. As Figure 1 shows, selecting the Private key and CA certificate check box backs up the private key and its corresponding certificate. I also recommend that you select the Issued certificate log and pending certificate request queue check box. This choice ensures that you’ll have an up-to-date copy of the log for reference and that you won’t lose track of certificate requests that haven’t yet been approved.
The Certification Authority Backup Wizard lets you back up the CA and the CA configuration information. In Figure 1, note the shaded Configuration information check box. You would select this check box to back up the configuration information for a standalone CA. Because Enterprise CAs store configuration information in Active Directory (AD), you don’t need to back them up separately.
The Certification Authority Backup Wizard doesn’t interface with your tape drive but directs you to save this highly sensitive data to a location that you consider secure. As Figure 1 shows, the wizard requires that you enter the pathname of an empty directory to which it can back up the files. In addition to selecting a secure location on the server in which to create the destination folder, you should use a completely separate tape from the one you use for your usual backups.
The next step in the process is to enter a password. The wizard explains that for message encryption and decryption, both a public key and a private key are required. You must enter a password that will be used to guard access to the private key.
After you supply a password and click Next, the wizard displays a summary screen. Click Finish to complete the backup. Upon completion, your backup folder will contain two elements: a subfolder containing a copy of the database and a file named .P12. This file contains all the private-key information on which the CA depends.
As you can imagine, after the CA database has been backed up, your backup media contain sensitive data. Be sure to take the necessary precautions to protect your backup media because someone who steals your CA’s private key can impersonate your CA and issue bogus certificates that your clients will trust.
Restoring Your CA
As you might have noticed, you use the same menu to select the option to restore a CA that you used to select the option to back up the CA. The restore operation uses the Certificate Authority Restore Wizard, which lets you restore any combination of data from the data that you’ve backed up. The wizard will direct you to stop Certificate Services before you perform the restore.
Remembering the Basics
As you work to secure your CAs, don’t forget to cover the basics. For example, make sure that your certificate servers have antivirus software installed, that the virus-definition files are up-to-date, and that the antivirus services are actually running. You should also check the antivirus software’s schedule for downloading virus signatures; I recommend downloading updated signatures at least twice per day.
Because you don’t want something as common as a hard-disk failure to cause you to lose the certificate databases, I strongly recommend that you use redundant hardware. If redundant servers are beyond your budget, at the least, use a RAID array with parity or a disk-mirroring solution for the partition that contains your certificate databases.
You also must apply all the latest service packs and hotfixes to your certificate server. These patches are designed to correct known bugs and security holes.
Safeguarding Your CAs
As you’ve seen, digital certificates, their issuing CAs, the CAs’ private keys, and certificate databases play a vital role in your organization’s security. Guarding your CAs against tampering and failure is one way to avoid compromising your organization’s security and functionality.