Offline CA Maintenance – What Do You Really Need to Do?

In a previous post, I discussed the configuration and isolation of true offline Certificate Authorities. There I made reference to the fact that an offline CA is one that never sees the light of day, figuratively that is. The CA should be air-gaped from the network, which requires physical access to the CA to manage and issue certificates for roles such as Policy CA or for issuing a Certificate Revocation List (CRL). But how exactly do you maintain and keep the CA up to date? What exactly should you patch and manage?

One of the additional values of having an air-gaped CA is the fact that it is not subject to the access, risks and exploits that could be floating on your network. Because of this, we can be extremely targeted with what we update the CA with. We can avoid Microsoft’s “Patch Tuesday”, since the majority of those updates and issues address concerns outside of our CA. That’s not to say there couldn’t be an update that is applicable, but the standard “test and deploy all updates” don’t play here. Which is a good thing as manually updating your CA with these updates on a regular basis could be an administrative burden.

So here are the items that I consistently recommend to my customers:

1. Windows Service Packs

Microsoft has a very clear delineation of support products and configurations and running an OS without the requisite Service Pack could result in limited support from Microsoft. Outside of support, Microsoft only provides “best of abilities” support, which means hotfixes and code changes are out of the question. So even though your CA is working just fine (today), you should ensure your updates/upgrades for your CA keep it in a supported state. More details at: https://support.microsoft.com/en-us/lifecycle

2. Certificate Services Specific Hotfixes
One of the challenges I often had while at Microsoft was recommending to customers that they ensure all of their ADCS roles were properly patched with any hotfixes. If you are running an ADCS role and there is a hotfix, you do not need to wait until the problem occurs before applying the hotfix. In fact, some hotfixes like the OCSP 2960124 enable Deterministic OCSP responses – something you wouldn’t notice unless you were aware of the hotfix or happened to use a network sniffer to capture and analyze the OCSP responses your server is sending out.

So while Microsoft does not have an official list of all the hotfixes available for ADCS, I do! You can find it here on the PKI Solutions website at https://www.pkisolutions.com/adcs-hotfixes. Find the appropriate OS for your ADCS roles and review the list. When new hotfixes are released I will update the list here for your reference.

3. Any Date/Time/Daylight Savings Time Updates
Occasionally there are changes to Daylight Savings times, or even patches to address issues with drifting time/date in some environments – anyone remember the early VMWare issues in this regard? The net affect means your offline CA could wind up with a different time than the rest of your PKI components. That means an ill-timed CRL publish could be off by more than an hour. A CA by default only accommodates a 10 minute time-skew. A hour or more could cause wide-spread certificate validation problems in your environment.

4. Anti-Virus
I know it seems on the surface to be counter-intuitive – “Why would I have anti-virus software on my offline CA”? Would you like to guess the only place I’ve ever been infected with a virus from a customer? It was an Offline CA, at a bank! How did this happen? If the Root CA is offline, how are files like the CRL copied off of the Root? That’s right, via a flash drive. At some point an administrator used a flash drive that had been infected and the virus laid in wait on the CA for my to insert my flash drive to get some configuration files. Along comes the virus and my laptop detects it. Luckily the virus didn’t destroy data or cause a larger problem. So I always recommend AV software for customers now, and IF you remember to update the signatures, great. But I’d rather make sure there is some AV software, even if the signatures are old. Something is better than nothing.

So now that we covered the What, now we can discuss the When. The easy answer is unless any of the above items is a critical issue that can cause a problem, all of these can wait for the next CA maintenance window. This generally occurs whenever the CA is powered on to perform the CRL publish process. So it’s a good time to build a flash drive and get all the items you need to update the CA brought over and applied at the same time.

So through having an isolated, offline CA, your maintenance demands are actually reduced. It just means you have to be diligent in tracking and applying these items on your own.