Share via

CDP redundancy

stefan Minehan 41 Reputation points
2020-11-24T19:41:11.723+00:00

Hi There

Looking for some advice on CDP redundancy.

I'll be implementing a pki setup:

Offline Root CA
Issuing CA
Issuing CA
IIS Web server

These wont be configured in a cluster (from what i could tell it uses a shared volume which to me is a single point of failure anyway?)

We don't need on demand certificates and will be mainly issuing rdp and ssl certs for internal servers.

It doesnt matter either which ca issues the certificate but obviously it needs to be able to issue/sign its crl.

Im wondering if i also put iis on one of the issuing ca's also, how would i ensure the AIA/crl info is published to both web server virtual folders automatically?

issuingserver-1 would need the cert and crl for itself and also issuing-server2 right?

So if i create a dns like pki.domain.local and include this on the AIA/CDP got a http entry on both web servers, how do i ensure that the crls/aia exists for both server on each server?

I assume that if a client cert came from issuing-server1 with an issuing-server1.crl , if this server went down and the client tried to refresh its crl for the certificate , unless that crl also existed on the independent web-server/cdp location it would fail.

The issue is getting the issuing servers to publish its crl/cert to both servers when they are both looking at one dns record? pki.domain.local?

If i created two A records, for issuing server 1 and issuing server2 would each server publish to both servers?

do i need to create a load balanced webserver setup and then set the ip for pki.domain.local to the cluster IP? (would the CA's then publish to both servers in the cluster?)

im concerned that only 1 server would be selected and i would have to manually copy the crl/aia things to the other issuing server.

Otherwise i doubt we will rarely revoke certs so i would probably turn off delta crls, set the overlap to three days and just reinstate any server that fails before the need for the next crl publish?

This will be setup in azure for issuing certs to the cloud servers and on-prem. Management is determined to get rid of as much on-prem stuff as possible.

Thanks

Windows for business Windows Server Devices and deployment Configure application groups
Accepted answer
  1. Vadims Podāns 9,186 Reputation points MVP
    2020-11-24T21:01:25.757+00:00

    I would say that your objective is poorly defined and proposed solution is unfortunately not so good either.

    For Azure deployment there is only one solution: CDN. It is scalalble and high-available.

    For on-premises solution, you may consider to setup a pair of IIS and configure them as NLB cluster or put them behind a load balancer. During setup, you will configure DNS with NLB cluster name and virtual IP address. This is the entry point clients will use to connect to web server. NLB will re-route clients to any available NLB node.

    Create shared folder on each server to store PKI files from CAs. Configure DFS to replicate this share between NLB nodes. Create or use existing DFS namespace to access share remotely for pki data publication (say, "\MyCoolDfsNamespace\pki"). Grant "Cert Publishers" group write permissions, both, NTFS and share. Configure all online CAs to publish CRLs to this share using UNC paths.

    Do not install IIS on CAs.

    1 person found this answer helpful.

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vicky Wang 2,736 Reputation points
    2020-11-25T06:53:46.81+00:00

    Hi,

    I am glad to hear that your issue was successfully resolved\I am pleased to know that the information is helpful to you. If there is anything else we can do for you, please feel free to post in the forum.

    Best Regards,
    Vicky

    0 comments
  2. stefan Minehan 41 Reputation points
    2021-03-24T03:42:36.857+00:00

    What i ended up doing was creating two web servers with an azure internal load balancer (turns out you cant use the windows server one in azure) with the issuing ca publishing the crl/crt through the file://\ extension option as Crypt32 suggested.
    Then using the aia extension with http address with the pki.domain.local A record pointing to the LB IP

    https://www.itprotoday.com/iaaspaas/q-can-i-use-network-load-balancing-feature-azure

    helpful links for PKI
    https://www.windows-noob.com/forums/topic/16254-how-can-i-configure-pki-in-a-lab-on-windows-server-2016-part-1/
    https://timothygruber.com/pki/deploy-a-pki-on-windows-server-2016-part-1/
    https://www.pkisolutions.com/tools/pspki/add-crldistributionpoint/ (knowing how to correctly format custom cdp/AIA)

    https://www.youtube.com/watch?v=7u1Nkb8rLG0&ab_channel=RandyTips (lab so not following best practice but good for an understanding of the cluster setup)

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.