none
Multiple Subordinate Issuing CA in Windows 2012 for redudancy RRS feed

  • Question

  • Good Afternoon,

    I would like to have 2 Subordinate Issuing CA's ( Both Windows 2012 R2)  in one site, with only one of them as preferred / active issuing certs to my workstations and the other one as backup redundant CA .  The backup CA should only issue Certs if the primary one goes down. 

    How can i go about setting this configuration ? Is it as simple as starting CA services on the primary one and stopping CA Services on the other backup CA server ?

    Also, our Domain/Forest functional level is currently 2003.  It needs to on 2003 due to some dependencies.  Can we have Root and other Issuing CA's on Windows 2012 R2 OS servers without upgrading DFL/FFL to 2012 R2 ?

    Saturday, January 17, 2015 10:09 PM

Answers

All replies

  • [Puneet Singh ]

    Please find the answers inline

     would like to have 2 Subordinate Issuing CA's ( Both Windows 2012 R2)  in one site, with only one of them as preferred / active issuing certs to my workstations and the other one as backup redundant CA .  The backup CA should only issue Certs if the primary one goes down.

    [Puneet Singh] So what you need to is just publish the template on the Issuing CA which you want to make primary where as if the primary goes down then will publish the template on the secondary one so that it can take over.

    Also, our Domain/Forest functional level is currently 2003.  It needs to on 2003 due to some dependencies.  Can we have Root and other Issuing CA's on Windows 2012 R2 OS servers without upgrading DFL/FFL to 2012 R2 ?

    [Puneet Singh ] Root CA is normally not part of domain so it does not matter but i would recommend to set everything on 2012 R2 OS so that you can take advantage of the latest cryptography Algo. 


    Puneet Singh

    Sunday, January 18, 2015 12:09 AM
  • Thanks for replying Puneet.

    Yes, i want only the primary Issuing Ca to issue / publish templates .  IF it goes down, we would want the flexibility to bring online the Secondary CA without minimal configuration in a matter of minutes.  Basically we are looking to implement a High Availability solution.   How can such a setup be configured ?

    If this is not the right way, how else can we have high availability for the for Issuing CA server ?

    Sunday, January 18, 2015 3:07 AM
  • [Puneet Singh] First of all there is no term called high availability for issuing CA normally in PKI high availability is for CDP points. So in your case you will have everything ready  as soon as your primary CA goes down you will bring up the new machine and get the same host name as of your primary CA  and will make it join to Domain and then do the CA installation.

    Note : If the HSM is involved in the PKI then the approach will be bit different.


    Puneet Singh

    Sunday, January 18, 2015 4:22 AM
  • > First of all there is no term called high availability for issuing CA

    Puneet, unfortunately, you are incorrect.

    to Neeraj_Shah:

    you are looking for ADCS cluster: http://social.technet.microsoft.com/wiki/contents/articles/9256.active-directory-certificate-services-ad-cs-clustering.aspx

    In this scenario you will have two cluster nodes, where one is active and second is passive. If active node goes down, cluster service will automatically bring up passive node and make it active.


    Vadims Podāns, aka PowerShell CryptoGuy
    My weblog: en-us.sysadmins.lv
    PowerShell PKI Module: pspki.codeplex.com
    PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
    Check out new: SSL Certificate Verifier
    Check out new: PowerShell File Checksum Integrity Verifier tool.

    • Marked as answer by Neeraj_Shah Sunday, January 18, 2015 5:13 PM
    Sunday, January 18, 2015 8:01 AM
  • OK i do agree with Vadims that you can have high availability using the Clustered approach but i would still  say you should do comparison of clustered vs single instance CA (Non clustered)  on your environment as implementing clustered approach is not the best solution always.

    And my answer that there is no high availability is for non clustered approach as in the real world scenario you want all your end user certificates to work all the time where as if the CA is not available the only thing you won't be able to do is issue the certs. 

     

    Puneet Singh

    Sunday, January 18, 2015 3:05 PM
  • Vadims,  Thanks !  One more question; our current Domain & Forest Functional levels are Windows 2003.  Our current PKI ( Root & Issuing CA) is also on Windows 2003 OS.   If we upgrade our Domain & Forest levels to Windows 2012 R2 prior to setting up the PKI on 2012 R2 , will that break anything ? I mean, will the current ROOT/ISSUNG CA stop working or stop publishing templates , certs if we upgrades the DFL/FFL first .  OR do both need to happen at same time ?

    Sunday, January 18, 2015 3:48 PM
  • > If we upgrade our Domain & Forest levels to Windows 2012 R2 prior to setting up the PKI on 2012 R2

    you don't need to raise forest and domain levels to utilize all ADCS features. Remember that domain/forest functional level affects only domain controllers and their communications. What you really should do: is to upgrade Active Directory schema (by running adprpep /domainprep and adprep /forestprep) to the newest version. Schema upgrade cannot affect existing environment, because it can only extend the schema (AD classes cannot be deleted). This should be done before you join new servers to domain.

    End even if you upgrade DFL/FFL, only domain controllers will be affected. For example, if you upgrade these levels to 2012 R2, domain controllers prior to Windows Server 2012 R2 will stop working and stop replication. Therefore the answer to your second question is no: CAs won't be affected as long as they are not installed on domain controllers.


    Vadims Podāns, aka PowerShell CryptoGuy
    My weblog: en-us.sysadmins.lv
    PowerShell PKI Module: pspki.codeplex.com
    PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
    Check out new: SSL Certificate Verifier
    Check out new: PowerShell File Checksum Integrity Verifier tool.

    Sunday, January 18, 2015 4:25 PM
  • OK i do agree with Vadims that you can have high availability using the Clustered approach but i would still  say you should do comparison of clustered vs single instance CA (Non clustered)  on your environment as implementing clustered approach is not the best solution always.

    And my answer that there is no high availability is for non clustered approach as in the real world scenario you want all your end user certificates to work all the time where as if the CA is not available the only thing you won't be able to do is issue the certs. 

     

    Puneet Singh

    again, your response is not quite accurate. By providing high availbility for CDP/AIA locations you do not solve the following issues:

    -- no new certificates can be issued from failed service

    -- failed CA won't be able to publish new CRLs (this is what you missed in your post).

    As the result if server goes down for a long time, already issued certificates (by a failed CA) may stop work.


    Vadims Podāns, aka PowerShell CryptoGuy
    My weblog: en-us.sysadmins.lv
    PowerShell PKI Module: pspki.codeplex.com
    PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
    Check out new: SSL Certificate Verifier
    Check out new: PowerShell File Checksum Integrity Verifier tool.

    Sunday, January 18, 2015 4:31 PM
  • Vadims / Puneet

    One more Qn :).  How do we go about setting up Issuing CA dedicated to each site in AD.  I want to have one Root CA which will be offiline, but need each of my sites( branch offices) to have their own Issuing CA.  

    Thanks in advance

    Neeraj

    Tuesday, January 20, 2015 2:29 PM
  • please find an article which will help you understand how to implement PKI but its a non clustered approach 

    http://social.technet.microsoft.com/wiki/contents/articles/15037.ad-cs-step-by-step-guide-two-tier-pki-hierarchy-deployment.aspx

    Note : If you have HSM involved in PKI then the approach will be different and remember if you are designing PKI for enterprise whether its clustered or non Clustered approach use HSM for protecting the private key of CA as its the best practice to be followed for PKI


    Puneet Singh

    Tuesday, January 20, 2015 2:52 PM
  • On Tue, 20 Jan 2015 14:52:45 +0000, Puneet Singh-PKI wrote:

    please find an article which will help you understand how to implement PKI but its a non clustered approach 

    http://social.technet.microsoft.com/wiki/contents/articles/15037.ad-cs-step-by-step-guide-two-tier-pki-hierarchy-deployment.aspx

    Which doesn't really answer the question about AD CS and site awareness.

    Note that only Windows 8 or Server 2012 and above clients support AD CS
    site awareness:

    http://social.technet.microsoft.com/wiki/contents/articles/14106.ad-ds-site-awareness-for-ad-cs-and-pki-clients.aspx


    Paul Adare - FIM CM MVP
    Arnold Schwarzenegger virus : Terminates and stays resident. It'll be back.

    Tuesday, January 20, 2015 4:14 PM
  • Paul,  sorry if this sounds dumb but does this mean that if we have multiple issuing CA's ( one at each physical site), the Windows 7,XP client workstations will not be able to know which ISSUING CA server to contact for getting their certs/templates/CRL's ?

    Our majority folks are on Windows 7 laptops and how will they know which Issuing/Subordiate CA to get to ? Or will just talk to any one of them randomly ?

     
    Tuesday, January 20, 2015 5:26 PM
  • >  client workstations will not be able to know which ISSUING CA server to contact for getting their certs/templates/CRL's ?

    the question isn't very correct. They will be able to know which CA to contact: just select random CA from the list. They will not be able to select a preferred (nearest) CA. That is, they may contact local site CA as well as remote site CA.

    > Or will just talk to any one of them randomly ?

    exactly.


    Vadims Podāns, aka PowerShell CryptoGuy
    My weblog: en-us.sysadmins.lv
    PowerShell PKI Module: pspki.codeplex.com
    PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
    Check out new: SSL Certificate Verifier
    Check out new: PowerShell File Checksum Integrity Verifier tool.

    Tuesday, January 20, 2015 6:00 PM
  • Paul / Vadmins,

    Quick question, I am lil confused on how a CRL gets updated if the Root CA server is in a offline mode.

    I have setup a 2 TIER Hierarchy mode in the form of a standalone ROOT CA in offline mode & cpl of Enterprise Issuing CA's which publish templates/certs to clients .  In the ROOT CA, i had configured CDP to point to the Issuing CA server via  (http://<issuingCA>...crl).   The CRL file was then manually copied to the respective folder on the ISSUING CA servers.  Now that i have put my Root CA offline for security reasons,  going forward if i revoke some certs from my ISSUING CA,  how does this CRL file get updated when the root CA is offline ? OR is that it is independent of the ROOT CA, and it will automatically get updated on the Issuing CA server in the IIS directory ?

    Thursday, January 29, 2015 8:17 PM
  • > Quick question, I am lil confused on how a CRL gets updated if the Root CA server is in a offline mode.

    you turn on offline CA, generate new CRL, copy it to removable media and turn off again. After that, publish CRL from removable media to selected locations. Sometimes you will have to turn on your offline CA. CRL publishing is one of them. If you need to issue new sub CA certificate, or revoke existing one -- all these procedures are manual, nothing will happen automatically.


    Vadims Podāns, aka PowerShell CryptoGuy
    My weblog: en-us.sysadmins.lv
    PowerShell PKI Module: pspki.codeplex.com
    PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
    Check out new: SSL Certificate Verifier
    Check out new: PowerShell File Checksum Integrity Verifier tool.

    • Marked as answer by Neeraj_Shah Thursday, January 29, 2015 8:43 PM
    Thursday, January 29, 2015 8:27 PM
  • Thanks Vadims ! You are the man !!
    Thursday, January 29, 2015 8:44 PM
  • Vadims,

    I am noticing a weird issue in my environment. Perhaps if you could advise on this or maybe this is how it's supposed to work. Need your expertise.

    We are currently using EAP-TLS for our wireless authentication. We have a production Radius Server and a Testing Radius Server.  On both of  Radius /NPS Server, We are have selected "Microsoft:Smart or certificate" as the authentication type under EAP  in our NPS / Radius server.

    We currently have an Root CA which is also the Issuing CA setup on the same Windows 2003 DC. This has published client computer certs to all our workstations/laptops in the domain.  The client /computer cert is used during authentication to connect to our corporate wireless. 

    The plan is to retire this 2003 server and setup everything new on Windows 2012 platform.

    So, I have setup a new Windows 2012 Root  and Issuing CA server in parallel to the Windows 2003 server for testing .  This 2012 ROOT CA is standalone and has not been joined to our domain . So it is not conflicting with the current 2003 CA.  On the new 2012 issuing CA server, i created a computer template and issued it to a cpl of workstations for testing purposes.    I can see a new computer certificate coming from this new issuing CA in the " Personal Certificates" store of those test workstations in addition to existing certificates issued by the 2003 CA.    My Test Radius Server has been configured to use a certficate from this 2012 CA as its proof of identity.

    Now i am unable to connect to corporate wireless from these workstations.  The moment i delete this client computer cert coming from new 2012 CA, the workstation is able to authenticate successfully to the Radius server and connect.  Is it that 2 client certs which are in the personal certificate store of that PC are conflicting with each other ?  I am not clear as in why would they conflict with each and why upon deleting the new cert, i can connect successfully using the old client cert ? 

    Sunday, February 1, 2015 7:56 PM
  • On Sun, 1 Feb 2015 19:56:13 +0000, Neeraj_Shah wrote:

    Now i am unable to connect to corporate wireless from these workstations

    Please start a new thread for this issue as it really has nothing to do
    with the current thread. Thanks.


    Paul Adare - FIM CM MVP
    Beware of bugs in the above code; I have only proved it correct, not tried
    it.
    -- Donald Knuth

    Sunday, February 1, 2015 8:39 PM