[Box Backup] offline CA
Ben Summers
boxbackup@fluffy.co.uk
Fri, 4 Feb 2005 09:13:44 +0000
On 3 Feb 2005, at 21:51, Justin Haynes wrote:
> It is best to have your certificates isolated so there is less risk of
> comprimising them. I want to accomplish this by keeping them on a usb
> hard drive and backing them up to CD. The usb hard drive would be
> attached only when I needed to sign certs or get them in case one of
> my own machines needs to be restored due to failure and data loss.
>
> does anyone see any problem with this? My plan is to create a ca user
> on the backup server and mount /dev/sd0c /home/ca.
The system is designed to allow an offline CA. In fact, I recommend
people do this. In addition, the signing machine does not need to be
the backup server, so you can manage the CA on a machine which isn't
directly connected to the internet (maybe behind a NAT device to stop
incoming connections.)
Ben