Fault tolerance of PKI infrastructure

Mountain Pond 1,391 Reputation points
2024-06-05T18:13:08.9766667+00:00

Hello,

the infrastructure has a Root CA and an Issuing CA. However, after it was installed, I did not pay attention to its condition. As it turned out, it was necessary to update the certificate for the Issuing CA. But unfortunately, over the past time, Root CA has issued and signed user certificates and certificates for domain controllers.

I don’t see the issued certificates for the Issuing CA and now I’m worried that the network certificates will remain valid if the Root CA is turned off or something happens to it.

What would you recommend to do in this case?

I also wanted to ask about fault tolerance.

As far as I understand, backup of the Root CA and the presence of one or more Issuing CAs is enough to ensure minimal fault tolerance?

Thank you.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,454 questions
0 comments No comments
{count} votes

Accepted answer
  1. Daisy Zhou 20,461 Reputation points Microsoft Vendor
    2024-06-06T12:25:45.7866667+00:00

    Hello Mountain Pond,

    Thank you for posting in Q&A forum.

    I don’t see the issued certificates for the Issuing CA and now I’m worried that the network certificates will remain valid if the Root CA is turned off or something happens to it. What would you recommend doing in this case?

    A1: So both the root CA and issuing CA are in the domain (Online Enterprise CA), am I right?

    If so, I think there are two options in your case.

    First
    You can issue one issuing CA certificate using root CA.
    Then issue certificate to users, computers (domain controllers) and network using this issuing CA certificate.

    If these user certificate, domain controller certificates and network certificates issued by the issuing CA work fine, then you can revoke the user certificates and certificates for domain controllers and network certificate that issued by root certificate.

    Second

    You can keep the user certificate, domain controller certificates and network certificates issued by the root CA certificate. Then deploy another new PKI structure with new root CA and multiple new issuing CAs. Then you will have two PKI architectures (one is the root CA; the other one is one root CA with multiple issuing CAs).

    As far as I understand, backup of the Root CA and the presence of one or more Issuing CAs is enough to ensure minimal fault tolerance?

    A2: Yes, you are right. You can deploy one Root CA and multiple issuing CAs.

    If one of the issuing CA has problem, you can use another issuing CA to issue certificates to end entity (user account, computer account or service account).

    I hope the information above is helpful.

    If you have any questions or concerns, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

0 additional answers

Sort by: Most helpful