VM-CASINO-PKISVR01 — Certificate Authority Server
VM-CASINO-PKISVR01 — Certificate Authority Server
Overview
| Field | Value |
|---|---|
| VM Name | VM-CASINO-PKISVR01 |
| Role | Microsoft PKI — Intermediate / Issuing Certificate Authority |
| Environment | Production |
| Location | Casino Floor Data Center — Rack C3 |
| vCenter | vcenter.casino.local |
| Cluster | SEC-CLUSTER-01 |
| Host | esxi-host-05.casino.local |
| VM UUID | 422ecj45-8b2e-11ec-l2ff-000c29a1b3dc |
| Hardware Version | VMware Hardware v19 |
Hardware Configuration
| Component | Specification |
|---|---|
| vCPUs | 4 |
| CPU Sockets | 2 |
| Cores per Socket | 2 |
| RAM | 8 GB |
| Memory Reservation | 4 GB |
| CPU Reservation | 1000 MHz |
Storage
| Datastore | Disk | Size | Type | Format |
|---|---|---|---|---|
| SEC-SAN-DS01 | Hard Disk 1 (OS) | 80 GB | VMDK | Thin Provisioned |
| SEC-SAN-DS01 | Hard Disk 2 (CA DB) | 50 GB | VMDK | Thick Eager Zeroed |
Networking
| Adapter | Type | Port Group | VLAN | MAC Address | IP Address |
|---|---|---|---|---|---|
| NIC 1 | VMXNET3 | PG-MGMT-100 | 100 | 00:50:56:a1:12:01 | 10.10.100.120 |
Guest OS
| Field | Value |
|---|---|
| OS | Windows Server 2022 Standard |
| Build | 20348.2340 |
| VMware Tools | 12.3.0 (Current) |
| Computer Name | CASINO-PKISVR01 |
| Domain | casino.local |
| Time Zone | Eastern Standard Time |
PKI Configuration
| Field | Value |
|---|---|
| CA Type | Enterprise Subordinate (Issuing) CA |
| Parent CA | CASINO-ROOT-CA (offline) |
| CA Name | Casino Issuing CA 1 |
| Key Algorithm | RSA 4096-bit |
| Hash Algorithm | SHA-256 |
| CRL Publication | Weekly / Delta: Daily |
| CRL Location | http://pki.casino.local/crl |
| OCSP | http://pki.casino.local/ocsp |
| Validity Period | Issued certs: 1 year (servers), 2 years (user) |
Certificate Templates Active
| Template | Purpose | Validity |
|---|---|---|
| WebServer | IIS / web services SSL | 1 year |
| WorkstationAuth | Machine authentication | 1 year |
| UserAuth | Smart card / user auth | 2 years |
| CodeSigning | Internal code signing | 1 year |
| DomainController | DC authentication | 1 year |
Backup & Recovery
| Field | Value |
|---|---|
| Backup Tool | Veeam + Windows CA Backup |
| CA DB Backup | Daily 03:30 AM |
| VM Backup | Daily 03:30 AM |
| Retention | 30 days |
| RTO Target | 2 hours |
| RPO Target | 24 hours |
Notes
- Root CA is offline (air-gapped physical server in vault) — do not power on except for CRL renewal
- CA private key backed up to encrypted USB stored in physical safe — see PKI Runbook
- Certificate expiry monitoring via AppViewX — alert at 60/30/14 days
- Patching window: Last Saturday of month 02:00–04:00 AM
- Contact: Infrastructure Team / Security Team
No comments to display
No comments to display