[Box Backup] offline CA

Ben Summers boxbackup@fluffy.co.uk
Fri, 4 Feb 2005 09:13:44 +0000


On 3 Feb 2005, at 21:51, Justin Haynes wrote:

> It is best to have your certificates isolated so there is less risk of 
> comprimising them.  I want to accomplish this by keeping them on a usb 
> hard drive and backing them up to CD.  The usb hard drive would be 
> attached only when I needed to sign certs or get them in case one of 
> my own machines needs to be restored due to failure and data loss.
>
> does anyone see any problem with this?  My plan is to create a ca user 
> on the backup server and   mount /dev/sd0c /home/ca.

The system is designed to allow an offline CA. In fact, I recommend 
people do this. In addition, the signing machine does not need to be 
the backup server, so you can manage the CA on a machine which isn't 
directly connected to the internet (maybe behind a NAT device to stop 
incoming connections.)

Ben