September 1, 2021

It’s time for the PKI!

Hey everyone!

As the title says, my company started working on building our PKI. Since I am the one guy who has started to become more involved with network security over the past few months, the IT team is looking to me to lead the way on this.

This makes me excited but also nervous as I’ve never been very confident in my knowledge of cryptography and have not even seen a properly implemented PKI before. At this point, I’m just doing my best to absorb trusted information quickly and build with a security-based mindset.

I’ve read through Microsoft’s guide on Designing and Implementing a PKI and everything makes sense to me there. However, what confuses me is that, as far as I can see when going through the configurations, our network monitoring tools and firewalls already came preinstalled with certificates and CA’s. Also, I was asked to create certificates for our firewalls’ administrator console login pages and did so by creating a Local CA in FortiAuthenticator, as shown in their Cookbook. At the time, I believed this would be secure, since it’s our most protected asset, but I’m not sure how I can implement this into a new Windows-based PKI.
Another thing I’m having trouble understanding is: A former employee made the Domain Controller a Root CA. I’d really like to have our Root CA be offline. Is there a way to decommission the old Root CA?

This may seem silly to the pros here but it’s all completely messing me up. Does anybody have any advice? Any tips are also appreciated. The things a PKI makes possible are amazing but fuck it’s hard to grasp.

Comments

emasculine

your first issue is PKI != X.509. this is an extremely pernicious conflation. see:

https://rip-van-webble.blogspot.com/2021/03/certificates-confuse-everything.html

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.