none
Setup of Multiple Issuing CA's RRS feed

  • Question

  • There are lots of comments regarding the use of multiple Issuing CA's in an ADCS infrastructure, even comments about you need multiple Issuing CA's with Server 2003 to achieve resiliency. However, there does not appear to be any whitepapers or technical detail about how to set this up.

    The only information I can find relates to setting up an Active/Standby architecture using failover clustering.

    Is this the only way of achieving resiliency ?

    Why are there comments regarding the use of multiple Issuing CA's if this is not possible ?

    Currently our Issuing CA is deployed as a virtual machine so already has failover capability which safeguards against physical hardware failure.

    We don't currently have applications which need live authentication of certificates, but this is due to change.

    Is it the CRL's that are important here or do you really need multiple Issuing CA's ?

    As I mentioned above there are lots of comments about having multiple Issuing CA's but nothing which discusses setup for this model.

    Help please.

    Monday, July 15, 2013 11:33 AM

Answers

All replies

  • If I understood your query correctly; Setup of Multiple Issuing CAs are completing depend upon your environment network infrastructure & scalability. Clustering idea is good for redundancy & fault tolerance.  CA should not worked without the CRL; that is built-in feather.

    Regards
    Biswajit Biswas
    My Blogs|TechnetWiki Ninja | Any ADDS Related Query;Post@http://aka.ms/addsforum | Any Security Related Query ;Post@http://aka.ms/adcsforum


    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin

    Tuesday, July 16, 2013 5:28 AM
  • Hi,

    In addition,the more certificates a CA hierarchy issues to users, computers, services, or network devices, the higher the number of

    issuing CAs required in the CA hierarchy.  

    In a word,setup of Multiple Issuing CAs depends on the requirements,structure,location,and processes of an organization.

    Is this the only way of achieving resiliency ?

    If your organization considers disk failure the biggest risk to Certificate Services, you can ensure that the CA database’s disk partition is on a redundant array of independent disks (RAID) 5 or RAID 0+1 disk array to ensure the best performance and recoverability in the event of disk failure.

    Ted                                                


    • Edited by Ted Xie Tuesday, July 16, 2013 7:28 AM modify
    Tuesday, July 16, 2013 7:27 AM
  • All,

    I don't think anyone has really grasped what is being asked here....

    What I was trying to determine is the only way of making Issuing CA's redundant by using failover clustering ?

    I take it there are no replication features for the database as with Active Directory ?

    Tuesday, July 16, 2013 8:31 AM
  • No failover clustering is not only way ; If all issuing CAs host the same certificate templates for enrollment ;those servers we can use for Redundancy & fault tolerance.

    Regards
    Biswajit Biswas
    My Blogs|TechnetWiki Ninja | Any ADDS Related Query;Post@http://aka.ms/addsforum | Any Security Related Query ;Post@http://aka.ms/adcsforum


    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin

    Tuesday, July 16, 2013 9:17 AM
  • Ok, I understand that you can deploy multiple issuing CA's, but then don't you end up in a situation with each CA owns its own certificate database ? Also what then happens about CDPs and CRLs ? Is each issuing CA just then acting as a CDP/CRL only for certificates that are issued ?
    Wednesday, July 17, 2013 8:28 AM
  • See this;

    To Cluster or Not to Cluster CAs

    Regards
    Biswajit Biswas
    My Blogs|TechnetWiki Ninja | Any ADDS Related Query;Post@http://aka.ms/addsforum | Any Security Related Query ;Post@http://aka.ms/adcsforum


    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin

    • Marked as answer by Ted Xie Tuesday, July 23, 2013 4:55 AM
    Thursday, July 18, 2013 3:06 AM
  • Hi,
     
    As this thread has been quiet for a while, we will mark it as ‘Answered’ as the information provided should be helpful. If you need further help, please feel free to reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish.
     
    BTW, we’d love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts.
     
    Best Regards
     
    Ted

    Tuesday, July 23, 2013 4:55 AM