|
Posted by Brian Komar on February 11, 2008, 10:36 pm
If you were Registered and logged in, you could reply and use other advanced thread options
You can cluster Certificate Services on Windows Server 2008, Enterprise
Edition.
Not the Web enrollment pages, but the CA itself.
Brian
> Certificate Services do *not* support clustering. Whatever you do,
> certificates issued by a CA will have to be signed using this CA's private
> key and by definition, there should be one, secret copy of this key on a
> single server (and not a cluster).
>
> The way around this is a multitier hieararchy, as you've mentioned below.
> If you decide to go for a collapsed root/policy CA, you can install that
> on a single (preferably offline - so not on your Web farm) root server,
> and then you can install subordinate CAs on all the Web servers (yeah, I
> know you were trying to avoid this...). All certificates issued by
> subordinates will be part of the same CA hieararchy, therefore clients
> will trust one another.
>
> A note on load balancing: when the client returns to the Web server to
> obtain a certificate that they previously applied for, they must hit the
> same Web server. Therefore, you will have to set client affinity, and it
> needs to be such that even if the client returns after a week, she should
> still hit the same server... This is so far the trickiest bit - and I
> guess you will need to review your load balancer documentation to find out
> whether this is doable at all, as affinity typically has a limited timeout
> period.
>
> A note on unavailable CAs: Note, that if the CA is unavailable (not the
> CRL DP, the actual CA registration authority, so the CERTSRV pages), then
> users will simply not be able to request *new* certificates until the CA
> becomes available again. However, all issued certificates will work. Hence
> the reason why CAs are not necessarily Load Balancer and Clustering
> friendly.
>
> --
> ---
> HTH,
> Dobromir
>
> Visit http://www.iamechanics.com
>
>> Everyone,
>>
>> I have an environment that uses a Stand-alone CA to issue certificates to
>> remote users from a public web site using web enrollment. This cert is
>> used
>> for authentication for another web site.
>>
>> Right now I have a server farm behind load balancers, but only one of
>> them
>> is configured as CA with the web-enrollment piece (certsrv). As you can
>> imagine, this acts as a single point of failure and means that we can't
>> use
>> the load balancers for this; we have to always go to the single server.
>>
>> I would like to put copies of Certsrv on the other web servers so that I
>> could balance these, but I am concerned with the communication between
>> web
>> enrollment and the CA and what the configuration steps would be. I am
>> trying
>> to avoid the overhead of configuring subordinates on the other web
>> servers
>> and issuing locally.
>>
>> Advice?
>> --
>> Ryan Hanisco
>> MCSE, MCTS: SQL 2005, Project+
>> http://www.techsterity.com
>> Chicago, IL
>>
>> Remember: Marking helpful answers helps everyone find the info they need
>> quickly.
>
>
| 
XML site map