Microsoft Certificate Server virtualization policy

If you are unsure regarding the Microsoft Certificate server virtualization policy, just see the Microsoft Virtual Server support policy knowledgebase article at

It is worth to mention that a hardware security module (HSM) is always recommended when operating a certification authority on a virtual Windows Server. The rational behind this recommendation is quite simple: The private keys are a most valuable asset and must be highly protected. Decoupling the storage of the keys from the CA database and its configuration is a smart decision! In case the worst case happens and the virtual CA image gets out of your control, you still haven’t lost the private key because it is stored in the HSM.

I always feel very concerned when CA administrators suggest to run offline CAs as virtual machines without an HSM. This is a great money saving opportunity – they tell me … The worst case scenario is burning the virtual machine with no HSM in place on a DVD as a secure backup solution. What if the DVD is lost /duplicated/becoming unreadable? They could loose their entire PKI topology sooner or later.

In summary, a Windows online or offline CA is a good candidate for a virtual environment if you have a reliable Hyper-V setup in place and a the CA keys are stored securely in an HSM.

Comments (2)

  1. Paul says:

    What about best practices for using virtual technologies in PKI implementations? Are there any articles or blogs available?

  2. Jakob H. Heidelberg says:

    There is a way to make an OFFLINE virtual CA server very secure, without the use of an HSM, using built-in Microsoft Windows technology only.

    Create a virtual floppy, enable BitLocker on the offline CA and place keys on the virtual floppy. Now store that safely, not in virtual environment of course.

    For several reasons this is NOT the same as having an HSM solution in place, but it protects the offline CA private keys in a very cheap manner.