Windows 2003 Public Key Infrastructure high availability

Posted on 2009-04-15
Last Modified: 2012-05-06

I have installed a two tier PKI in Windows environment. I have one Stand-alone Root CA (offline) and one Enterprise Subordinate CA (installed on Windows 2003 enterprise ed.)

For availability reasons I would like to know if I can add a second Enterprise Subordinate CA in case the first one crash. (Normally everything is stored in AD so I assume taking a daily backup of the CA database is enough?)

Can I just install a second Enterprise sub. CA the same way I did for the first one? What about CRL distribution points? Web enrollement?

Thank you
Question by:slimard
    1 Comment
    LVL 31

    Accepted Solution

    yes and no.

    Yes, you can set up a second subordinate CA, and this would offer some redundancy of services, however the database will be tied to each CA.  In the case that Sub1 fails, Sub2 will still issue new certificates, but all the certs issued from Sub1 will have issues whenever the CRL expires.  There's probably a way you could get it to work, but it would be a lot more hassle than it is probably worth, in comparison to other solutions.  If you issue your CRL via script (certutil -crl) every 1/2 period of the CRL lifecycle, then you have at least that much time to recover the system.

    One recommendation is to set up using virtual machines - these can be stored to a removable hard drive and that can be copied and offsited - restore is a snap, regardless of hardware.

    The other possibility would be to have the CAs in a cluster - this is a new feature for 2008.  That's a pretty heavy order for a lot of companies, but if it is a larger place it might be in order.

    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    Join & Write a Comment

    SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
    Learn about cloud computing and its benefits for small business owners.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now