Setup an additional subCA with existing private key - PKI and NDES HA

Question

Hi,

Installing two PKI with one offline root CA and 3 enterprise subCA's and associate 3 NDES servers (it's a requirement, could not convince for anything else) and make sure that the subCA's and NDES act as HA. Planning to do below, please correct me

1) Add all three sub CA's in CDP and AIA http address on the root
2) Discussion in the below link suggest assigning same template to all sub CA's. Not sure how it works?
https://social.technet.microsoft.com/Forums/en-US/e179f904-4104-4928-a847-b377c3b00303/designing-a-new-pki?forum=winserversecurity

3) This link talks about common CDP and AIA. Is this valid? or Enable Double Escaping in IIS as mentioned toward end of the fourm?
https://social.technet.microsoft.com/Forums/en-US/1dc90fb5-5fe6-40bf-81e7-4faa0dfbb8d5/add-a-second-subordinate-server-in-a-twotier-pki-hierarchy-?forum=winserversecurity

4) and/or copy CRL and CRT files between the 3 sub CA's at regular intervals using a script?

Appreciate advice.

Answer 1

Hello @Vinod Reddy ,

Thank you for posting here.

Based on the description above, I understand you want to set up two-tier PKI with one offline root CA and three parallel online enterprise sub CAs.

And here are my suggestions for your references.

1) Add all three sub CA's in CDP and AIA http address on the root
A: Prepare four Windows servers, one server for offline root CA and three servers for online enterprise sub CAs.

And then deploy it based on the steps in the following link.
AD CS Step by Step Guide: Two Tier PKI Hierarchy Deployment
https://social.technet.microsoft.com/wiki/contents/articles/15037.ad-cs-step-by-step-guide-two-tier-pki-hierarchy-deployment.aspx

2) Discussion in the below link suggest assigning same template to all sub CA's. Not sure how it works?
https://social.technet.microsoft.com/Forums/en-US/e179f904-4104-4928-a847-b377c3b00303/designing-a-new-pki?forum=winserversecurity
A: Deploy two-tier PKI based on the steps in the following link, you do not need to assign template to all sub CA's.

3) This link talks about common CDP and AIA. Is this valid? or Enable Double Escaping in IIS as mentioned toward end of the fourm?
https://social.technet.microsoft.com/Forums/en-US/1dc90fb5-5fe6-40bf-81e7-4faa0dfbb8d5/add-a-second-subordinate-server-in-a-twotier-pki-hierarchy-?forum=winserversecurity

A: The common CDP and AIA is one location that you can put CRL files and CRT files in it. You can create one or more CDP and AIA locations based on your requirements.

Usually, for CDP and AIA locations, we can set up one or more locations (file, http and ldap locations).

Configure the CDP and AIA Extensions on CA1
https://learn.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-the-cdp-and-aia-extensions-on-ca1

4) and/or copy CRL and CRT files between the 3 sub CA's at regular intervals using a script?
A: For CRL and CRT files on sub CAs, you do not need to copy, because they are in the domain, for CRL and CRT files on offline root CA, you can copy using a script at regular intervals or you can copy them manually after you republish CRL and renew root CA cert (Because usually the validity period of the CRL or certificate of the root CA is relatively long).

For more information, please refer to link below.
AD CS Step by Step Guide: Two Tier PKI Hierarchy Deployment
https://social.technet.microsoft.com/wiki/contents/articles/15037.ad-cs-step-by-step-guide-two-tier-pki-hierarchy-deployment.aspx

Tip: Each of the above small steps contains a lot of operations.
It is recommended that you set up a similar CA environment in the test environment, and then record all these steps in a document if needed, and write down the key points and precautions.
If there are no problems, follow the similar the steps in the production environment, so that even if you encounter any problems in the production environment, you should be able to troubleshoot or solve them well.

Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

Answer 2

Thanks a lot Daisy. I will go through the steps and update this post.
Also any suggestions on NDES? We need 3 NDES close to the 3 enterprise sub ca's to achieve HA. As I understand MS does not support HA for NDES?

Answer 3

Hello @Vinod Reddy ,

Thank you for your reply.

In my lab, I install NDES on one member server instead of CA server.

You can install NDES on CA server or member server.

Can I install the NDES role on a Clustered Certification Authority?
You can install it on any of the Certification Authority cluster nodes, and then point the NDES configuration to the Clustered Certification Authority to request certificates. This will not provide service high availability or load balancing. It is recommended to install the Network Device Enrollment Service on a separate member server if you already have a clustered CA.

For more information, please refer to link below.

Network Device Enrollment Services (NDES) Frequently Asked Questions (FAQ):
https://social.technet.microsoft.com/wiki/contents/articles/12610.network-device-enrollment-services-ndes-frequently-asked-questions-faq.aspx

Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

Answer 4

Here is my setup

(1) We already have an existing PKI hierarchy PKI-Old. I cannot remove this, that’s the current requirement.
(2) I am setting up new one “PKI-new”. This will only be used to serve NDES and HA is a requirement.

It is a two tier setup with Offline Root CA and 3 Enterprise Sub CA’s.
So:
2.1) CDP and AIA - I have added all three Enterprise sub CA’s on each sub CA.
http://<FQDN1 of ent Sub CA>/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
FQDN 1, 2 and 3 for both CDP (crl) and AIA (crt)

• Is this OK?

2.2) Should I remove all the Certificate Templates on all three sub CA’s and just add the required custom/duplicate templates? (So that PKI-old is not affected)
2.3) In the event of one data centre not available, to achieve HA, will the below steps help?
o Use same certificate template on all three CA’s
o copy the three crl’s between all three CA locations
o Configure overlap, increase the certificate revocation to maybe 7 days and publish the list every day
o and configure DNS round robin

Many thanks,
Vinod

Answer 5

Hello @Vinod Reddy ,

Thank you for your reply.

2.1) CDP and AIA - I have added all three Enterprise sub CA’s on each sub CA.
http://<FQDN1 of ent Sub CA>/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
FQDN 1, 2 and 3 for both CDP (crl) and AIA (crt)

• Is this OK?
  A: It should be no problem, it means you put the CRL files and CRT files into multiple locations.

2.2) Should I remove all the Certificate Templates on all three sub CA’s and just add the required custom/duplicate templates? (So that PKI-old is not affected)
A: Certificate Templates are store on AD Domain Controllers instead of CA servers. I think you should not remove all the Certificate Templates on all three sub CA’s.

2.3) In the event of one data centre not available, to achieve HA, will the below steps help?
A: I suggest you can test it in your lab to see if it helps..

Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.