Re: Clustering Certificate Authority Server

From: Amihai Bareket (amihai73_at_hotmail.com)
Date: 11/21/05

  • Next message: Miha Pihler [MVP]: "Re: Clustering Certificate Authority Server" 
    Date: Mon, 21 Nov 2005 22:57:40 +0200

    Hi,

    Problem with a second CA as you've described it is that the certificates
    issued by the CA are signed by him and he is the only one that's able to
    revoke them.
    Also, the CRL file is signed by that CA.
    Can you think of a way that the second CA will be able to revoke
    certificates or sign the CRL using the private key of the first CA?
    This is the main goal I'm trying to achieve with CA redundancy.

    Amihai

    "Miha Pihler [MVP]" <mihap-news@atlantis.si> wrote in message
    news:uuz049p7FHA.3416@TK2MSFTNGP15.phx.gbl...
    > Hi,
    >
    > no, you can't cluster CA server with Windows 2003 server. I believe there
    > were some solutions on UNISYS...
    >
    > For redundancy -- you can set up more then one Enterprise CA. If you set
    > up e.g. two -- either of two can issue any certificate based on configured
    > templates. Templates are stored in Active Directory so either of two CA
    > servers can read them and issue certificates.
    >
    > --
    > Mike
    > Microsoft MVP - Windows Security
    >
    >
    > "Amihai Bareket" <amihai73@hotmail.com> wrote in message
    > news:uQJppYo7FHA.3976@TK2MSFTNGP15.phx.gbl...
    >> Is it possible to cluster Certificate Authority (CA) server using Windows
    >> Server 2003 cluster?
    >> The CA is an Enterprise CA.
    >> If possible, Is there a whitepaper that explains how to do it?
    >> If not, what other redundancy/availability options are possible for CAs?
    >>
    >>
    >>
    >
    >

  • Next message: Miha Pihler [MVP]: "Re: Clustering Certificate Authority Server"

    Relevant Pages

    • Re: CA auto-enrollment policies with Windows 2003
      ... Yes you need to have your enterprise CA installed on Windows 2003 Server ... issue computer certificates to domain computers. ... > existing domain controllers we really don't want to also install IIS on ...
      (microsoft.public.windows.group_policy)
    • RE: VPN Problem, PC not Authenticating with Server
      ... is the VPN server, SBS or router? ... Regarding the configuration of L2TP VPN, please also refer to the following ... 818043 L2TP/IPsec NAT-T update for Windows XP and Windows 2000 ... Computer certificates for L2TP/IPSec VPN connections ...
      (microsoft.public.windows.server.sbs)
    • Re: VPN Problem, PC not Authenticating with Server
      ... do you mean you have configured L2TP/IPSec VPN ... is the VPN server, SBS or router? ... 818043 L2TP/IPsec NAT-T update for Windows XP and Windows 2000 ... Computer certificates for L2TP/IPSec VPN connections ...
      (microsoft.public.windows.server.sbs)
    • Re: RADIUS and Certs
      ... Another option is to buy comercial certificates from third parties. ... IAS on our Windows 2003 server so we can use AD and stop having to ... We are a Windows 2000 domain with W2003 member servers. ... If you install a CA on your production network you won't be able to easily ...
      (microsoft.public.internet.radius)
    • Re: Secure VPN access
      ... with it's security option for the client. ... After getting the VPN connection I check the Ip settings and found the ... point to the head ISP's DNS server. ... > Computer certificates for L2TP/IPSec VPN connections ...
      (microsoft.public.windows.server.sbs)