How redundancy works in Win2003 PKI ?

How redundancy works in Win2003 PKI ?
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
How redundancy works in Win2003 PKI ? Marlon Brown 12-13-2006
Posted by Marlon Brown on December 13, 2006, 5:26 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Imagine I deploy a two-level PKI strucutre.
Two offline root CA's.
Two CA servers.

I am deploying duplicated servers for redundancy reasons.

How is the redundancy handled for PKI ?
Does the servers need to have any type of NLB/NIC, or the whole thing is
done logically ?



Posted by Brian Delaney [MSFT] on December 21, 2006, 7:37 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi Marlon,

First of all I would recommend against using two offline root CAs for
redundancy. It is not at all necessary, all that is needed is backups to
be taken of the CA keypair and database. In most deployments within a
single organization only a single offline root CA should be used with few
exceptions.

Rundancy is required in two place in a PKI.
1. For download of the AIA and CDP information which is required to use
issued certificates
2. For requesting new certificates

Redundancy of the AIA and CDP information can be achieved by publishing
this information to LDAP for internal PKIs as this will replicate to all
DCs in the domain therefore having redundancy based on your DC
configuration. For externally available PKI, you can achieve redundancy of
the AIA and CDP information on an NLB web cluster or just by simply using
DNS round robin to multiple web servers.

Redundancy for requesting new certificates can be achieved by using two or
more enterprise subordinate CAs under your offline root, ensuring that the
same certificate templates are published at each of the CAs. This will
provide redundancy for autoenrollment (assuming both subCAs are 2003
Enterprise Edition) and manual certificate requests via the Certificates
MMC.

Generally speaking you need to focus most on making the AIA and CDP paths
redundant as all certificates will be consider revoked if this information
is unavailable and could potentially be useless until the path is restored.
Usually most organizations can live with the CA itself being down for
longer than they could with the AIA and CDP paths offline.

Hope this helps,

Brian Delaney
Microsoft Canada
--

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
>Subject: How redundancy works in Win2003 PKI ?
>Date: Wed, 13 Dec 2006 14:26:54 -0800
>
>Imagine I deploy a two-level PKI strucutre.
>Two offline root CA's.
>Two CA servers.
>
>I am deploying duplicated servers for redundancy reasons.
>
>How is the redundancy handled for PKI ?
>Does the servers need to have any type of NLB/NIC, or the whole thing is
>done logically ?
>
>
>


Similar ThreadsPosted
How to inform I have (2) CA servers for redundancy January 23, 2007, 11:35 am
how Lsass & Kerberos works ? July 8, 2005, 5:45 am
I hear there is a new internet in the works? April 25, 2007, 12:21 am
Remote Desktop works but Assistance does not June 13, 2006, 12:37 pm
internal ssl cert that works with domain and without April 23, 2008, 3:11 pm
UserOverRide key on Win2003 November 10, 2006, 1:00 pm
Re: Norton Live Update for a non-retail copy of System Works? January 18, 2008, 8:35 pm
Re: Norton Live Update for a non-retail copy of System Works? January 18, 2008, 11:19 pm
Re: Norton Live Update for a non-retail copy of System Works? January 19, 2008, 3:56 am
Re: Mind Control "mailteam" works-- victims work trends February 12, 2008, 11:38 am

The site map in XML format XML site map

Contact Us | Privacy Policy