failover question for 2 subordinate ca

Janus Bariñan 1,101 Reputation points
2020-10-18T16:22:31.293+00:00

I am planning to have two enterprise subordinate CAs for redundancy. There are a couple of questions I want to get clear. This is in a domain environment where the root CA is a standalone CA

If there are 2 enterprise subordinate CAs how will the certificate of client machines get distributed?

How will the client machines choose which subordinate CA to get the certificate from?

If subordinate CA 1 issues certificate to a client machine then subordinate CA 1 goes down how will subordinate CA1 assume the role of renewing the client machine's certificate?

Will the two CAs have the same common name or it should be different?

Is it possible to configure failover for the 2 suboridnate CAs

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
11,684 questions
0 comments No comments
{count} votes

Accepted answer
  1. Clément BETACORNE 2,021 Reputation points
    2021-11-16T08:47:06.76+00:00

    Hello,

    Below you will find an excellent step by step for implementing a clustered issuing CA :
    https://social.technet.microsoft.com/wiki/contents/articles/15067.step-by-step-guide-clustering-an-existing-certification-authority.aspx
    To answer your questions in the ca cluster you will have an active node and a passive node as far as I know so your client will request the certificate from the active node.
    Because they will share the same database the passive node will be able to renew client machine certificate if the active node go down.
    The 2 CA will share the same CA name

    The other option can be to have multiple issuing ca but the issue with this configuration is during certificate request the first one to respond will issue the certificate for your client if the same template exist on your 2 CAs. The good news is that you can use enrollment policy service to build the list for your client.
    https://social.technet.microsoft.com/Forums/ie/en-US/61edb934-029d-4fad-b752-ae7d2f255538/issue-with-multiple-enterprise-issuing-cas?forum=winserversecurity
    https://learn.microsoft.com/en-us/answers/questions/298788/how-clients-get-a-certificate-if-there-are-multipl.html

    For the renewal I'm not 100% sure but it will follow the same principle of the issuing part build a list of issuing ca and check if they support the template issued
    https://www.sysadmins.lv/blog-en/certificate-autoenrollment-in-windows-server-2016-part-2.aspx

    0 comments No comments

0 additional answers

Sort by: Most helpful