none
DA and Multiple Issuing CA's RRS feed

  • Question

  • Hey guys, we have a two tier CA hierarchy with an offline root and two issuing CA's - Direct Access works fine however we want to publish the DA computer certificate template to both issuing CA's to have some resiliency. When we do this and a client rightly picks up a computer certificate from the other CA server to where the DA server has issued it's certificate, we get an error and the ipsec tunnels fail. If we re-issue the certificate back from the first CA (the same as the DA server) all is fine and dandy.

    Is it supported to publish Da computer templates to two separate CA issuing servers? Technet says this which suggest it isnt but surely there is a way to get better resiliency? Here is a quote from the technet link. 

    The client certificate and the server certificate should chain to the same root certificate. This root certificate must be selected in the DirectAccess configuration settings. 

    If we issued the DA computer certificate from the offline root, would it technically be chained if the client then issued from one of the sub issuing CA's? I haven't tried this, so thought I would ask. I've got a case open with Microsoft directly but am not getting very far with it.

    Wednesday, December 19, 2018 4:00 PM

Answers

  • Ok so it’s a simpler fix, for some reason the subordinate issuing CA root is bound to DA, not the offline root. Doh! Simple fix, just bind the offline root and then both subordinate issuing CA’s can be used to dish out the DA certificate template. This allows the chaining technet speaks of. Cheers for assist Jordan.
    • Marked as answer by Amayacitta Thursday, December 20, 2018 6:33 AM
    Thursday, December 20, 2018 6:32 AM

All replies

  • Yes, chaining to the root in the DA settings should get you to the place you want to be. That way no matter which issuing CA put the machine cert into place on the DA client or server, they are chaining further up the ladder.

    If you're not already in production - this is easily tested. If you are already running production on this system, it might be worth the time to setup a test DA environment to make sure this works as you want it to. Making changes to certificate authentication settings can definitely cause DA to stop working on the client machines (until they get into the office for a GP update), because the DA server will get updated immediately with the new changes but the clients don't, and suddenly they have mismatched configurations. I wouldn't want you to make this quick simple change in the interface only to find out you have stopped everyone from connecting.

    Wednesday, December 19, 2018 4:38 PM
  • Ok thanks for the help, this is in production for 5000 users, so a test system would be needed. Has anyone else done this before? it takes time to build this out, my current test lab only has a single enterprise CA :( I'd need to build the two tier CA setup, which takes a day or two.
    Wednesday, December 19, 2018 4:42 PM
  • I meant you could test on your production network (and production CA servers), but with a new DA server. Just set everything about that new DA server up in parallel (new IPs, new DNS name, new group, new GPOs) - so that it is completely independent from your existing DA servers. Then you could move some test clients over to the new group and test all you wanted on that guy.
    Wednesday, December 19, 2018 4:44 PM
  • Gotya, it would take time to sort all that also. I'll have to schedule some resource, in the mean time hopefully someone has tried this before and can just say, yep it works :-)


    Wednesday, December 19, 2018 4:46 PM
  • Ok so it’s a simpler fix, for some reason the subordinate issuing CA root is bound to DA, not the offline root. Doh! Simple fix, just bind the offline root and then both subordinate issuing CA’s can be used to dish out the DA certificate template. This allows the chaining technet speaks of. Cheers for assist Jordan.
    • Marked as answer by Amayacitta Thursday, December 20, 2018 6:33 AM
    Thursday, December 20, 2018 6:32 AM