Three node PKI setup Question
-
Good morning,
We are looking to setup a three node PKI infrastructure, all running Server 2012 r2: Standalone Root CA (not in the domain) and 2 Enterprise Subordinate CA's (in the same domain. We already have the root CA and one of the enterprise CA's deployed and it's working great. We would like to add a 2nd enterprise CA so that when the first enterprise CA is not available it can still respond to certificate requests; however, I'm not able to find much online documentation for doing such a thing. The 2 enterprise CA's would essentially be at the same level on the domain and when both are running, either one could respond to requests. Can you provide me with any documentation on doing this or have any steps/recommendations for accomplishing this task?
Thanks,
Steve
-
Hello Steve,
If you are adding a second subordinate CA for load balancing/fault tolerance reasons, the process will be the same as adding the first subordinate CA.
- Install the CA role
- Configure the CA as an enterprise subordinate CA, and request a subordinate CA certificate from the root CA
- Issue the new certificate to the new subordinate CA
- Make sure the new subordinate CA trusts the root CA
- Install the subordinate CA certificate and start the CA service
For load balancing/fault tolerance you will have to configure all of the same certificate templates (which templates to issue, permissions on templates, etc.) on the new subCA as are on the existing subCA. They don't really work together, which ever one hears a new certificate request first will respond, so they need identical configuration.
Just keep in mind, certificates issued from one subCA are tied to that CA. The second subCA cannot renew certificates issued by the first subCA. So if the first subCA is unavailable, the second subCA will be able to handle the new certificate requests, but renewals will have to wait until the first subCA is back online.
Hope this helps,
Mike