To increase the security of the private key, you can store the key on a two-factor device, such as a smart card. Moving the CA's private key to a smart card requires a CA Administrator to have access to the smart card and know the smart card's PIN.
If you implement a smart card cryptographic service provider (CSP), you must enable the Allow CSP to Interact with the Desktop option during the Certificate Services Installation Wizard. (See Figure 7-3.) The Allow CSP to Interact with the Desktop option enables the display of the PIN entry dialog box for the smart card in the user's session when a machine-related private key is accessed.
You can further secure the implementation of a smart card for protecting the CA's private key by storing the CA's smart card in a secure location, such as a safe. By splitting the responsibilities of retrieving the smart card from the safe and knowing the smart card's PIN, you can ensure that at least two people are involved in starting Certificate Services at an online CA.
Note If you implement a smart card for the CSP of an online CA, the smart card must remain in the smart card reader of the CA computer at all times. Removing the smart card from the reader causes the computer to lose access to the private key material. This prevents Certificate Services from starting, new certificates cannot be issued, and updated certificate revocation lists (CRLs) cannot be published.
Was this article helpful?