If you were planning your deployment of PKI on Azure where abouts would you put your public facing CDP and AIA repositories?

I was thinking it would be a good idea to host it on Azure Websites but what does the community do?

Hi,

 I am currently researching on your question, I will post a reply soon.
 Your patience is appreciated.

Regards,
Nithin Rathnakar

Hi AzDigital,

As a matter of fact you can put your front end server (incluidng CDP and AIA) wherever you want, however please consider that PKI will publish CRL and those files need to be copied to the frontend server (with script presumably or a fileshare) so the PKI and frontend servers has to be close. Summing up, if you use Azure IaaS for your VMs with PKI, use VMs for frontend hosting CDP and AIA paths.

Hi Andrzej,

thanks for your reply I can see that it would make sense to keep them close for file share i forgot to consider that.

But then I remembered we can upload files to azure blobs from our VMs which can then be accessed publically via HTTP.

In your experience would you see anything wrong with using an Azure Blob container for the CDP and AIA?

I'm trying to avoid using another VM with IIS on it if I can but if there's no other choice then i will need to use VMs as you have previously recommended. 

Thanks in advance, 

Hi,

I haven't thought (nor done) about Azure Blobs, but it makes sense in general, just think about below.

Consider that for users in Internet, Azure Blobs are fine (the same way you could put VMs with IIS in your DMZ). For users in LAN, commonly, a split brain DNS scenario is used, meaning that internal users access http CDP and AIA paths are redirected to internal VMs with IIS, when users in Internet are redirected to reverse proxies. Having that in mind I can see a scenario where Azure Blob containers may not work: for users, servers, services that use certificates (so they have validate CRLs) but they don't have internet access to reach to Azure Blobs. In that case I would use a split brain DNS scenario with internal IIS/Apache (may already be used by other applications) to set CDP and AIA paths and DNS record.

The other thing I would be concerned about is the configuration of how you copy CRLs from your CAs to Azure Blob in terms of security - priviliges, access to unathorized users, etc. Also, consider having a load balancing for your published Azure Blobs.