Retired Microsoft Blog disclaimer

This directory is a mirror of retired "Windows PKI Team" TechNet blog and is provided as is. All posting authorship and copyrights belong to respective authors.
Original URL:
Post name: Microsoft Certificate Server virtualization policy
Original author: MS2065 [MSFT]
Posting date: 2010-08-09T10:08:23+00:00

If you are unsure regarding the Microsoft Certificate server virtualization policy, just see the Microsoft Virtual Server support policy knowledgebase article at

It is worth to mention that a hardware security module (HSM) is always recommended when operating a certification authority on a virtual Windows Server. The rational behind this recommendation is quite simple: The private keys are a most valuable asset and must be highly protected. Decoupling the storage of the keys from the CA database and its configuration is a smart decision! In case the worst case happens and the virtual CA image gets out of your control, you still haven't lost the private key because it is stored in the HSM.

I always feel very concerned when CA administrators suggest to run offline CAs as virtual machines without an HSM. This is a great money saving opportunity - they tell me … The worst case scenario is burning the virtual machine with no HSM in place on a DVD as a secure backup solution. What if the DVD is lost /duplicated/becoming unreadable? They could loose their entire PKI topology sooner or later.

In summary, a Windows online or offline CA is a good candidate for a virtual environment if you have a reliable Hyper-V setup in place and a the CA keys are stored securely in an HSM.

Share this article:


Comments are closed.