Certificate Authority (CA) Failover - Possible?

[Guest]

I hope this is the correct board to ask this question... I am trying to setup
a CA for our company, not for AD purposes, but for client side web
certificates that can be issued to our customers to browse our website. Now
with the question...

Is there a way to setup 2 servers as the CA for failover purposes? I'm
thinking kind of like how DNS servers work. Where if one goes down, the other
one will just take over. It will be very important for the CA to stay up
because of the constant changes we will be making in the Issuing and denying
of certificates. Any information or suggestions would be great. Thanks!

-Frank

 

[Brian Komar [MVP]]

I hope this is the correct board to ask this question... I am trying to setup
a CA for our company, not for AD purposes, but for client side web
certificates that can be issued to our customers to browse our website. Now
with the question...

Is there a way to setup 2 servers as the CA for failover purposes? I'm
thinking kind of like how DNS servers work. Where if one goes down, the other
one will just take over. It will be very important for the CA to stay up
because of the constant changes we will be making in the Issuing and denying
of certificates. Any information or suggestions would be great. Thanks!

-Frank

You can accomplish some of what you want.
- You can have a DNS CNAME record that would send you to either of the
two CAs.
- Certificates would be fine as both CAs would chain to a common root CA
(you would need a two tiered hierarchy with an offline root CA)
- You would be able to issue any number of certificates from either CA
- The CA that issued the certificate would have to be up though to
revoke a certificate.

Today, there is no way to cluster the CA so that failover could happen.
What I have described is about all that you can do.

brian