1

Currently, I have one online enterprise root-ca (and issuing certificates - default templates) that installed on DC (yes, yes I know - worst case scenario). I set another offline not joined to a domain server, 2 IIS servers under LB and 2 enterprise issuing servers and I need few answers before I proceed:

NOTE: The final goal is to REPLACE and not migrate current set/certificates.

1) The current CA common name (not server name) is example-root-ca can I give to the new offline server CA root same common name while installing the CA role? Will it affect somehow the current certificates? Should I use the new name and why?

2) Installing multiple subordinate issuing servers, again while you configure the CA role it asks for common name also - so 2 servers should use the same common name? or its fine they have different common names (or even as far as I remember it must be unique)? - In such case, I am thinking of how the client will get the certificate? some will get from server one and some from server 2? What will happen when they will try to renew?

user491190
  • 11
  • 1

1 Answers1

1

can I give to the new offline server CA root same common name while installing the CA role? Will it affect somehow the current certificates?

You can re-use the same name for the root CA if you wish. As the public/private key will be different the certificate will effectively be different regardless of whether the name is the same or not. As this is an offline root CA, there will be no clashes with anything in AD (which could be the case if this one was also domain joined). Also, managing two root CA certificate with identical subject names will be slightly more challenging, simply because it will be harder to differentiate between the two without looking at valid from/to dates.

so 2 servers should use the same common name?

The issuing CA names must be unique. Note that having two issuing CAs will not give you any form of load-balancing. You'll simply end up with two issuing CAs. It could be argued that you'll have some form of fail-over in the sense that if one is down the other can still service requests.

In such case, I am thinking of how the client will get the certificate? some will get from server one and some from server 2?

If you have multiple issuing CAs the user will get a choice of which CA they want to send the request to. The list will be from AD and will not change if one of the CAs are down. So if the user picks a CA that happens to be offline, the request will simply fail.

Automatically enrolled certificates will pick any of the CAs for which the template is enabled. I'm not certain of the process for deciding which CA should be used if more than one has the template enabled; however I seem to recall that the one that had the template enabled later seemed to get the request but I didn't test thoroughly enough to be certain.

garethTheRed
  • 4,009
  • 13
  • 20
  • Thanks for the information! Regarding the first step it make sense. Regarding having multiple subordinates - not sure, from many fourms and articals I did find the having multiple issuing servers is used for HA (not sure about load balancing) but im looking for HA solution right now. – user491190 Oct 09 '18 at 13:33
  • You only need HA if you are issuing certificates in very large numbers, or generating CRLs with very short lifespan. Otherwise, CA downtime can often be tolerated. What you can't afford is downtime of your repository as clients won't be able to access your CRLs. Therefore, it's always wise, as you are planning, to double-up your IIS servers behind a load-balancer. – garethTheRed Oct 09 '18 at 14:36
  • Well, my main use will be certificate authentication for clients to network 802.1x. ~5000 devices. – user491190 Oct 10 '18 at 08:36