As the title says, my company started working on building our PKI. Since I am the one guy who has started to become more involved with network security over the past few months, the IT team is looking to me to lead the way on this.
This makes me excited but also nervous as I’ve never been very confident in my knowledge of cryptography and have not even seen a properly implemented PKI before. At this point, I’m just doing my best to absorb trusted information quickly and build with a security-based mindset.
I’ve read through Microsoft’s guide on Designing and Implementing a PKI and everything makes sense to me there. However, what confuses me is that, as far as I can see when going through the configurations, our network monitoring tools and firewalls already came preinstalled with certificates and CA’s. Also, I was asked to create certificates for our firewalls’ administrator console login pages and did so by creating a Local CA in FortiAuthenticator, as shown in their Cookbook. At the time, I believed this would be secure, since it’s our most protected asset, but I’m not sure how I can implement this into a new Windows-based PKI.
Another thing I’m having trouble understanding is: A former employee made the Domain Controller a Root CA. I’d really like to have our Root CA be offline. Is there a way to decommission the old Root CA?
This may seem silly to the pros here but it’s all completely messing me up. Does anybody have any advice? Any tips are also appreciated. The things a PKI makes possible are amazing but fuck it’s hard to grasp.