none
new PKI windows 2008 r2 RRS feed

  • Question

  • Where should one place enterprise root CA server in multidomain environment ? Is it good idea to place it in forest root domain ?
    we are planning to have more than one subordinate CA to allow fault tolerance ? Will client be affected if the server they initially got auto enrolled from is not available at any point of time for some reason ? As per my understanding... this information is stored in AD and shall not cause a problem if another Subordinate CA is available with valid auto enroll template ?

    What about servers like IIS servers... on which certificate is installed manually and the server from which it was issued is not available now ?

    Saturday, November 24, 2012 11:49 PM

Answers

  • > Is it good idea to place it in forest root domain ?

    it depends on a numerous factors. From security perspective it is recommended to place CAs in the forest root domain. However if there are slow links between domains, you may consider to move CAs to user domains.

    > we are planning to have more than one subordinate CA to allow fault tolerance ?

    it's ok.

    > Will client be affected if the server they initially got auto enrolled from is not available at any point of time for some reason ?

    if CA is unavailable and cannot publish CRLs, many applications will stop accept certificates issued by this CA. Autoenrollment clients will be able to obtain new/renewal certificates from the second CA, but existing certificates will not be updated and you will have to manually reenroll failed certificates. This is because autoenrollment't do not reenroll valid certificates for which revocation information could not be determined. Therefore it is highly recommended to keep revocation information online to prevent such cases.

    If revocation information is available and valid, then clients will be able to renew certifictes from the second CA.


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Check out new: PowerShell FCIV tool.

    • Marked as answer by TG9481 Sunday, November 25, 2012 6:31 PM
    Sunday, November 25, 2012 10:17 AM
  • You can have a common highly available CRL if you cluster the subordinate CAs. Most organizations ensure that they have a publication schedule that balances publication and recognition of revocation. Most organizations take advantage of CRL overlap to ensure that if a publication is missed, they can still manually publish a CRL before the previous CRL expires.

    Brian

    • Marked as answer by TG9481 Sunday, November 25, 2012 6:30 PM
    Sunday, November 25, 2012 2:11 PM
  • Yes, this is a very common model

    Brian

    • Marked as answer by TG9481 Sunday, November 25, 2012 6:30 PM
    Sunday, November 25, 2012 6:13 PM

All replies

  • > Is it good idea to place it in forest root domain ?

    it depends on a numerous factors. From security perspective it is recommended to place CAs in the forest root domain. However if there are slow links between domains, you may consider to move CAs to user domains.

    > we are planning to have more than one subordinate CA to allow fault tolerance ?

    it's ok.

    > Will client be affected if the server they initially got auto enrolled from is not available at any point of time for some reason ?

    if CA is unavailable and cannot publish CRLs, many applications will stop accept certificates issued by this CA. Autoenrollment clients will be able to obtain new/renewal certificates from the second CA, but existing certificates will not be updated and you will have to manually reenroll failed certificates. This is because autoenrollment't do not reenroll valid certificates for which revocation information could not be determined. Therefore it is highly recommended to keep revocation information online to prevent such cases.

    If revocation information is available and valid, then clients will be able to renew certifictes from the second CA.


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Check out new: PowerShell FCIV tool.

    • Marked as answer by TG9481 Sunday, November 25, 2012 6:31 PM
    Sunday, November 25, 2012 10:17 AM
  • Hi,

    How to make revocation information available in case of CA failure ? Is there any automated way or can we have failover configured for revocation list ?

    Can we have common  highly available CRL for two subordinate CAs ?

    Thnx



    • Edited by TG9481 Sunday, November 25, 2012 5:29 PM
    Sunday, November 25, 2012 12:26 PM
  • You can have a common highly available CRL if you cluster the subordinate CAs. Most organizations ensure that they have a publication schedule that balances publication and recognition of revocation. Most organizations take advantage of CRL overlap to ensure that if a publication is missed, they can still manually publish a CRL before the previous CRL expires.

    Brian

    • Marked as answer by TG9481 Sunday, November 25, 2012 6:30 PM
    Sunday, November 25, 2012 2:11 PM
  • Thanks Vadims and Brian..

    One more question that I have is.. can we have two Enterprise subordinate CAs under Standalone root CA ?

    Will this work ? If yes what will be the limitations of this structure ?

    I am gonna use Subordinate CAs only for issuing certificates to clients.

    Thnx..

    Sunday, November 25, 2012 6:06 PM
  • Yes, this is a very common model

    Brian

    • Marked as answer by TG9481 Sunday, November 25, 2012 6:30 PM
    Sunday, November 25, 2012 6:13 PM