You have to choose new private key. You cannot install same CA twice. That is, you cannot take a backup of existing subordinate CA and deploy it in another site. You have to install a brand new subordinate CA (with different name) under existing root. Follow same guide you used to deploy existing subordinate CA.
Adding a subordniate certificate authority to an exisiting Two-Tier PKI
Hi,
Just wanted to know if I add a second subordinate Certificate Authority (We have a two-tier PKI) in one of our sites for redundancy, do I need to choose "existing private key" or "a new key" when I am adding the CA role to my new server?
Is there a step-by-step document for this very particular approach?
Windows development | Internet Information Services
Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Server | Devices and deployment | Configure application groups
4 answers
Sort by: Most helpful
-
-
Limitless Technology 39,926 Reputation points
2021-12-17T15:26:15.79+00:00 Hi @Sam Na
You need to select a new key and remember You can have two certificates issued for the same domain and same server from different providers and it will cause no disruptions. It is possible to have two sub-CAs. In an ideal configuration, one should have two subs ca for high availability based on usage /requirement.
AD CS Step by Step Guide: Two Tier PKI Hierarchy Deployment
https://social.technet.microsoft.com/wiki/contents/articles/15037.ad-cs-step-by-step-guide-two-tier-pki-hierarchy-deployment.aspx#Install_Subordinate_Issuing_CAHope this resolves your Query!!
--------
--If the reply is helpful, please Upvote and Accept it as an answer-- -
Vadims Podāns 9,186 Reputation points MVP
2021-12-20T08:55:59.727+00:00 Do I need to use common CDP/AIA locations or they should be different?
I personally never host CDP/AIA on CA itself. I always use common server with installed IIS as CDP/AIA hosting server. This gives me better security (you don't install additional roles on CA, smaller attack surface) and maintainability (easy to migrate to another server with different host name). Here is the guidance I'm using in my installations: https://www.sysadmins.lv/blog-en/designing-crl-distribution-points-and-authority-information-access-locations.aspx
-
85683820 1 Reputation point
2022-10-25T14:41:49.26+00:00 How did it go with a 2nd issuing CA? I am curious because we were asked to set ours up the same way with a different region for each issuing CA just like you only from scratch for our project. We were able to get everything looking right on pkiview.msc. We are still having trouble though with the second issuing CA, it doesn't seem to be communicating as online on the mmc snap in certificates. But in pkiview, it depends on which server I am testing. When I am on the south (1st issuing server), it shows the 2nd issuing CA as offline and everything on the 1st is good, and when I and on the north (2nd issuing server) it is the exact opposite. We ran tests and got the following results. I should mention we were asked to place the 2nd issuing CA in a different subnet and region. So we ran the following test with our Azure testing vms in windows 10. And the results reflect if we received a mmc certificate from the issuing CA or not. The only issuing CA that responded was the 1st one in the same region as the root CA. The y or n below is to show if they are turned on or off starting with root, then 1st and 2nd issuing CAs, the results are MMC snap in certificate results.
Name Subnet Root CA 1st Issuing CA South 2nd Issuing CA North Resultstest-vm-01 South y y y Successful through 1st Issuing CA
test-vm-02 South y y n Successful through 1st Issuing CA
test-vm-03 South y n y Failed
test-vm-04 South n y y Successful through 1st Issuing CA
test-vm-05 South n n y Failed
test-vm-06 South n y n Successful through 1st Issuing CA
test-vm-07 North n y n Failed
test-vm-08 North n n y Failed
Steps we followed
1 Create VM
2 Turn Servers on or off
3 Join new vm to domain
4 Check for cert
It doesn't line up in here with the headings but same order as the results. The most surprising result to me is test 7 because the subnet and region of the testing vm is the only difference I found. Not sure why but it seems like the machines will only get a cert if on the same subnet as the issuing CA, any ideas?
Any advice would be appreciated. Thanks