Hey everyone! I'm looking to set up a high availability (HA) capable Public Key Infrastructure (PKI) and would love to hear some best practices for this kind of implementation. My plan is to use one offline Certificate Authority (CA) server and two subordinate CA servers. I've heard that it's typically set up as an active/passive cluster. Any insights or tips would be much appreciated! Thanks!
5 Answers
One important thing to consider is that your shared storage shouldn't be a single point of failure. Make sure it's reliable so it doesn't compromise your entire setup.
I found a great article detailing the ADCS Failover Clustering approach. It might be worth checking out for your setup. It goes over the necessary steps and best practices pretty well. Here's the link: https://www.vkernel.ro/blog/clustering-active-directory-certificate-services-ad-cs
Microsoft has published a whitepaper about deploying your issuing CA role in a failover cluster. I've done several installs like this before. If you're looking to support Mobile Device Management (MDM), the older multiple issuing CA model won't cut it anymore; you'll want to use a failover cluster instead. You can leverage Azure, with shared disks and load balancers, plus use blob storage for CRLs to enhance reliability.
It's usually not advisable to fail over the CA's functions directly. Instead, focus on the infrastructure that supports them. It keeps things less messy in case of a failure.
Remember, in a typical PKI setup, you install multiple issuing CAs that all trust the same root CA. The CRL (Certificate Revocation List) publication should be set generously, allowing recovery time before clients hit revocation issues. When clients enroll for certificates, they'll attempt to connect to the first available CA, and if they can't, they'll move on to the next one. Just ensure your CRL publication intervals are set wisely to give you time to sort out any failures.
That's really helpful! So, if a CA fails, I can just adjust the publication interval? How often do you recommend?
That's helpful! Could you point me to the MS link that outlines all the steps for this implementation?