mike at cycletime.com
Thu Apr 7 14:57:26 MDT 2005
On Thu, 2005-04-07 at 14:08 -0600, jeff wrote:
> I am about to setup certificates for our company. Initially for
> openVPN, but later for other things. I have been trying to decide where
> to put the CA. Ideally, I would think it should be on a machine that is
> isolated from the network. In many ways this is impractical or at least
> very inconvenient. How does everyone else deal with this?
We put our CA on two thumb drives. One sits in a safe and the other
sits in a safe deposit box (for redundancy, just in case.) We only plug
the thumb drive into a machine that is not connected to the network to
do the signing. This is probably more secure than it needs to be since
the stuff we're signing is not THAT valuable but we already had the safe
and safe deposit box. Besides, thumb drives are cheap.
More information about the PLUG