Create a secure root CA on vSphere
Momentarily I’m working on a small PKI environment. Therefore I decided to build an 2-Tier PKI environment containing a Offline Root CA and an Enterprise Subordinate. For the root CA I was looking for a possibility to host it on VMware vSphere but it needs to be secure. The idea I came up with was building a Root CA with Bitlocker drive encryption. We didn’t want to restore and delete the CA every time we needed it to start to refresh the CRL lists. Normally this would be every 180 days.
The approach I followed was the following.
- Set up a Microsoft Windows 2008 R2 STD server for the Root CA
- Don’t at the server to the domain keep it a workgroup server.
- Open Gpedit.msc and locate the “Control Panel Setup:Enable advanced startup options” setting in Computer Configuration/Administrative Templates/Windows Components/Bitlocker Drive Encryption and configure “Control Panel Setup: Enable advanced startup options”; check Allow Bitlocker without compatible TPM chip and Reboot.
- Make sure Floppy drive has been configured for the virtual machine and create new Root_CA_bitlocker.flp file. Format the disk
- Open a privileged command prompt and run C:\Windows\System32\manage-bde.exe -on C: -rp -sk A:
- Save the recovery key to a file and keep this secure offsite your server in a safe.
- Reboot your server be sure that the floppy drive is the last device in the boot order.
- As you server starts encryption will start. And after finishing you see this.
- If you try to start your server without the presence of Root_CA_bitlocker.flp you will see this.
- Configure your Root CA and Root certificates. Export those to an USB key together with the Bitlocker recovery key and your Root_CA_bitlocker.flp. Remove the Root_CA_bitlocker.flp from your Storage.
- Hand those over to your security officer and write an procedure for refreshing your CRL’s.
You see it’s easy to secure your root CA’s for unauthorized access.