Re: Clustering Certificate Authority Server

From: Miha Pihler [MVP] (mihap-news_at_atlantis.si)
Date: 11/21/05 

Date: Mon, 21 Nov 2005 22:38:17 +0100

Question: What did you set your CRL poblication interval to? 

-- 
Mike
Microsoft MVP - Windows Security
"Amihai Bareket" <amihai73@hotmail.com> wrote in message 
news:eg$%23M4t7FHA.2012@TK2MSFTNGP14.phx.gbl...
> Hi,
>
> Problem with a second CA as you've described it is that the certificates 
> issued by the CA are signed by him and he is the only one that's able to 
> revoke them.
> Also, the CRL file is signed by that CA.
> Can you think of a way that the second CA will be able to revoke 
> certificates or sign the CRL using the private key of the first CA?
> This is the main goal I'm trying to achieve with CA redundancy.
>
> Amihai
>
>
> "Miha Pihler [MVP]" <mihap-news@atlantis.si> wrote in message 
> news:uuz049p7FHA.3416@TK2MSFTNGP15.phx.gbl...
>> Hi,
>>
>> no, you can't cluster CA server with Windows 2003 server. I believe there 
>> were some solutions on UNISYS...
>>
>> For redundancy -- you can set up more then one Enterprise CA. If you set 
>> up e.g. two -- either of two can issue any certificate based on 
>> configured templates. Templates are stored in Active Directory so either 
>> of two CA servers can read them and issue certificates.
>>
>> -- 
>> Mike
>> Microsoft MVP - Windows Security
>>
>>
>> "Amihai Bareket" <amihai73@hotmail.com> wrote in message 
>> news:uQJppYo7FHA.3976@TK2MSFTNGP15.phx.gbl...
>>> Is it possible to cluster Certificate Authority (CA) server using 
>>> Windows Server 2003 cluster?
>>> The CA is an Enterprise CA.
>>> If possible, Is there a whitepaper that explains how to do it?
>>> If not, what other redundancy/availability options are possible for CAs?
>>>
>>>
>>>
>>
>>
>
>

Relevant Pages

  • Re: Clustering Certificate Authority Server
    ... I believe you would actually have 2 weeks considering your Base CRL ... "Amihai Bareket" wrote in message ... >> Microsoft MVP - Windows Security ... you can't cluster CA server with Windows 2003 server. ...
    (microsoft.public.windows.server.security)
  • Re: Client Certificates Deleted after 2003 upgrade.
    ... I'm assuming that when you say that "none of the user certificates are ... CRL (which was presumably on the Cert Server machine). ... Server, and have CRL checking enabled, ...
    (microsoft.public.inetserver.iis.security)
  • Re: PKI Setup
    ... Refer the Best Practices for Implementing a Microsoft Windows Server 2003 ... the CRL distribution points is important. ... LDAP CRL distribution point is specified, ... For non-authentication certificates, ...
    (microsoft.public.security)
  • Re: Retiring Certficate Authority
    ... But what does your CPS state regarding CRL publication intervals. ... "Tim C" wrote in message ... Directory to keep my current certificates working properly? ... the change in server name. ...
    (microsoft.public.windows.server.security)
  • Re: move enterprise root ca
    ... but can I publish the new signed crl with the same name in AD that the clients can locate it with the defined ldap url in the issued certificates? ... that the users can still login even if the delta crl is expired. ... Users should be still able to login even if the CA Server is not available so that we have time to repair the broken CA Server. ...
    (microsoft.public.windows.server.security)