RE: How redundancy works in Win2003 PKI ?

Giganews Newsgroups
Subject: RE: How redundancy works in Win2003 PKI ?
Posted by:  briand…
Date: Fri, 22 Dec 2006

Hi Marlon,

First of all I would recommend against using two offline root CAs for
redundancy.  It is not at all necessary, all that is needed is backups to
be taken of the CA keypair and database.  In most deployments within a
single organization only a single offline root CA should be used with few

Rundancy is required in two place in a PKI.
1.  For download of the AIA and CDP information which is required to use
issued certificates
2.  For requesting new certificates

Redundancy of the AIA and CDP information can be achieved by publishing
this information to LDAP for internal PKIs as this will replicate to all
DCs in the domain therefore having redundancy based on your DC
configuration.  For externally available PKI, you can achieve redundancy of
the AIA and CDP information on an NLB web cluster or just by simply using
DNS round robin to multiple web servers.

Redundancy for requesting new certificates can be achieved by using two or
more enterprise subordinate CAs under your offline root, ensuring that the
same certificate templates are published at each of the CAs.  This will
provide redundancy for autoenrollment (assuming both subCAs are 2003
Enterprise Edition) and manual certificate requests via the Certificates

Generally speaking you need to focus most on making the AIA and CDP paths
redundant as all certificates will be consider revoked if this information
is unavailable and could potentially be useless until the path is restored.
Usually most organizations can live with the CA itself being down for
longer than they could with the AIA and CDP paths offline.

Hope this helps,

Brian Delaney
Microsoft Canada


This posting is provided "AS IS" with no warranties, and confers no rights.
>Reply-To: "Marlon Brown" <MarlonBro…>
>From: "Marlon Brown" <MarlonBro…>
>Subject: How redundancy works in Win2003 PKI ?
>Date: Wed, 13 Dec 2006 14:26:54 -0800
>Imagine I deploy a two-level PKI strucutre.
>Two offline root CA's.
>Two CA servers.
>I am deploying duplicated servers for redundancy reasons.
>How is the redundancy handled for PKI ?
>Does the servers need to have any type of NLB/NIC, or the whole thing is
>done logically ?



In response to

How redundancy works in Win2003 PKI ? posted by Marlon Brown on Wed, 13 Dec 2006