[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openssl-users
Subject:    Re: Best way to store keys and certs on Windows [was: Windows Certificate
From:       Jakob Bohm <jb-openssl () wisemo ! com>
Date:       2010-06-28 8:36:14
Message-ID: 4C285EFE.3040208 () wisemo ! com
[Download RAW message or body]

On 26-06-2010 18:29, Mohan Radhakrishnan wrote:
>         Please ignore if this question belongs else where but it looks
> like the OP is storing and retrieving SSL certificate from a Windows
> store. I have been looking for ways to use the Windows store to secure
> SSL certificates and keys and SFTP keys.
>
> Is windows or any other method recommended for storage of keys and
> certificates not created by Windows ? We just cut a CD with the keys
> and hand it over to the custodian as recommended by PCI but we want a
> storage server. I know that RedHat has a PKI server but we already
> have windows and the number of keys is less.
>

(You really should have started a new thread for this question, but I'll
answer anyway.)

The answer to this depends a lot on what kind of keys you are storing. 
I note that you are going for PCI compliance, so I am assuming serious
security here.

1. If you are storing the sensitive private keys, then the proper
answer is: Key copies that are not used many times every day should
be stored in secure hardware not connected to any computer and locked
away in a serious well-guarded strong box, relevant hardware include
Spyrus PCMCIA HSMs and high end smart cards.  For very rarely used key
copies, they should be split using Shamir's sharing scheme or similar
into parts stored on separate smart cards guarded by different people in 
different strongboxes.  For key copies that are used frequently by
automated servers, you should use a large high end HSM (too heavy for
anyone to put in their pocket) fitted with internal motion sensors that 
erase the keys if the device is physically moved anyway.

2. If you are storing just the public keys and certificates, and using
Windows, I would recommend the following combination:  Store each
certificate in a PEM/Base64 DER file with extension .cer and the
combined list of all of them in a binary DER file with extension .CRT.
Burn all those files to a CD and keep it in a read-only optical drive
(not a CD or DVD writer) in the server to prevent malicious
modifications (These file formats can be directly read and used by both
Windows and openssl, the openssl command line tool is good for making
the combined .crt).  Also put a copy of the certificates in Active
Directory group policies under appropriate categories, for instance CAs
under trusted CAs.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majordomo@openssl.org
[prev in list] [next in list] [prev in thread] [next in thread]