Multiple Issuing CA at different Geographical Location RRS feed

  • Question

  • We are running Three-3 tear Microsoft PKI environment with one-1 Root CA, one-1 Intermediate CA and one-1 Issuing CA at our headquarters. We want to introduce redundancy in our environment with respect to Issuing CA by adding another Issuing CA. So, I would appreciate some design recommendation for such a requirement particularly in the case if we want to introduce the new Issuing CA at a different location.

    Would such a configuration make it redundant? or

    would it be a good design? And

    would it only require just Issuing CA at the remote location?

    Monday, September 29, 2014 11:08 AM

All replies

  • Hi,

    Do you want to create an issuing CA with the same name? If yes, then it is not possible because if you choose to create an issuing CA with a name already existed, then it would overwrite the former one.

    If you create an issuing CA with a different name, then there are two different issuing CAs, you will need to specify one CA when request certificates.

    To have redundancy for one issuing CA, you can consider clustering.

    More information for you:

    Overview of CA Clustering

    Installing and Configuring the CA Cluster

    Active Directory Certificate Services (AD CS) Clustering

    Best Regards,


    Tuesday, September 30, 2014 3:03 AM
  • What is the redundancy you are looking for? Adding a second CA would only provide redundancy for issuance or renewal of certificate - typically not critical activities for an environment unless you are using very short lived certificates with a large impact such as NAP. Most organizations care about ensuring existing certificates continue to work if something happens to a CA - this is redundancy for the CRL/OCSP. This is not achieved by adding a second CA.

    Some organizations want to a cold-standby CA that is ready to go in a DR site in case the primary dies. If that is the objective, a backup of the CA configuration, key and database will enable you to quickly resume operation on the backup CA. But it can only be staged to a certain degree ahead of time.

    So a little more information is needed.

    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years.

    Tuesday, September 30, 2014 3:14 AM
  • Actually, we have all the PKI Server Components (CA, Intermediate CA and Issuing CA) at our headquarters.  We want to add redundancy to the Issuing CA role by adding another Issuing CA in one of our Regional offices.

    In such a scenario, what is best suited?  CA Clustering? or just adding another Issuing CA to the Regional Office and that is it?

    CA Clustering would be tricky as it requires shared storage and with sites geographically dispersed that would be a limitation.

    What would you gentlemen recommend in this scenario? 

    Tuesday, September 30, 2014 10:59 AM
  • Unfortunately this doesn't really define your goals or requirements. What do you want redundancy for? What failure scenario or situation? What needs to continue to work and how long of an outage is acceptable to the environment? Clustering or other scenarios are tools to solve these issues but do not define business and technology goals.

    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years.

    Tuesday, September 30, 2014 12:16 PM
  • Thanks for the answer.

    Can you please share your thoughts or a link to an article/blog with respect to all aspects of PKI that require redundancy and methods of achieving it?

    Going by your previous answer, it seems that CRL/OCSP are the aspect that needs redundancy in most cases.  Can you please share any article/blog about its implementation.


    Friday, October 3, 2014 9:55 AM
  • Friends.........any thoughts on this.
    Wednesday, October 15, 2014 10:44 AM
  • Here are links to two recent threads on high-availabilty of CAs.

    Making CRL web servers and OCSP responders high-available is similar to making any web application high-available, via NLB or other load-balancers.

    With OCSP, you need to configure the array accordingly, as described in the OCSP white paper. HA is described in details in this article.

    For CRLs you need a directory with anonymous access for everybody and write access for the CAs (in case the web server is a domain member, otherwise you'd need an FTP script or the like).

    I don't know any white paper covering the "HA aspect" in particular. But the configuration is the same as with any "single-node" CDP URL - the CA would just publish the CRL to two different web servers.


    • Edited by Elke Stangl Wednesday, October 15, 2014 4:23 PM
    Wednesday, October 15, 2014 3:53 PM
  • did any one found the answer for this . like deploy multiple issuing CAs in remote site(for example per each remote site or at DR Site).  is there any scenario where we can have DR CA server which is ready to use and just failover to DR to work in a case of main site CA failure.

    Tuesday, August 30, 2016 9:20 AM