Share via

Microsoft CA High Availability

Sukhwinder Singh 51 Reputation points
2025-05-16T19:33:06.1966667+00:00

Hi All,

I am working on analyzing the PKI infrastructure for one of our clients. They are having 2 PKI servers in different locations with same PKI Templates published. The clients are getting certificate from both the server simultaneously.

As per my understanding certificate issued by PKI1 cannot be validated or is same as issued by PKI2. Certificates are issued from both servers to same clients which is duplication.

We should plan the redundancy/High availability of CDP/AIA locations and for the PKI server, we can have second PKI server available and configured however during Disaster the templates should be published in new server.

This will have PKI available as HA and no duplication

Moreover, if the proper backups are in place the new server can be configured within few hours.

I have few questions from the experts

  • Is there any document available where it is suggested to have multiple servers with all templates and both are active at the same time
  • Has anyone came across these type of requirement and what is the best way to design this
  • Is PKI Issuing server going down have real issue when CDP and AIA locations are on different share except new certs will not issued. To my understanding there is always grace period for clients to renew certs and if server is not available then clients will re-try
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Benjamin Wang 75 Reputation points Microsoft External Staff Moderator
    2025-05-30T09:01:12.04+00:00

    Hello,

    The situation you described involves multiple PKI servers publishing the same templates and issuing certificates to the same clients simultaneously, which indeed presents architectural issues. This kind of “parallel issuance” model carries the following risks:

    • Certificate Duplication: The same client may receive certificates from two different CAs, leading to management confusion.
    • Trust Chain Inconsistency: Even if the templates are identical, certificates issued by different CAs belong to different trust chains and cannot validate each other.
    • CRL and AIA/CDP Inconsistency: Clients may fail to properly validate certificate status due to mismatched revocation lists and authority information access points. For your reference:

    1、https://social.technet.microsoft.com/wiki/contents/articles/7421.active-directory-certificate-services-ad-cs-public-key-infrastructure-pki-design-guide.aspx#Plan_for_CA_Capacity_Performance_and_Scalability

    2、https://techcommunity.microsoft.com/blog/microsoft-security-blog/step-by-step-2-tier-pki-lab/4413982

    Best Regards

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.