Windows 2003 Public Key Infrastructure high availability


I have installed a two tier PKI in Windows environment. I have one Stand-alone Root CA (offline) and one Enterprise Subordinate CA (installed on Windows 2003 enterprise ed.)

For availability reasons I would like to know if I can add a second Enterprise Subordinate CA in case the first one crash. (Normally everything is stored in AD so I assume taking a daily backup of the CA database is enough?)

Can I just install a second Enterprise sub. CA the same way I did for the first one? What about CRL distribution points? Web enrollement?

Thank you
Who is Participating?
ParanormasticConnect With a Mentor Cryptographic EngineerCommented:
yes and no.

Yes, you can set up a second subordinate CA, and this would offer some redundancy of services, however the database will be tied to each CA.  In the case that Sub1 fails, Sub2 will still issue new certificates, but all the certs issued from Sub1 will have issues whenever the CRL expires.  There's probably a way you could get it to work, but it would be a lot more hassle than it is probably worth, in comparison to other solutions.  If you issue your CRL via script (certutil -crl) every 1/2 period of the CRL lifecycle, then you have at least that much time to recover the system.

One recommendation is to set up using virtual machines - these can be stored to a removable hard drive and that can be copied and offsited - restore is a snap, regardless of hardware.

The other possibility would be to have the CAs in a cluster - this is a new feature for 2008.  That's a pretty heavy order for a lot of companies, but if it is a larger place it might be in order.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.