RyanHanisco
Fri Feb 15 13:24:05 CST 2008
Dobromir,
Thanks for confirming that. I had kind of resigned myself to the fact that
I would need to build out the CA structure to support this.
As to the certs re-registering, this will not be an issue as the business
requirements are to "permanently" brand a machine as being valid to interact
with the site. This means issuing a very long duration. This should get it
done.
Thanks so much for your feedback. You too, Brian.
--
Ryan Hanisco
MCSE, MCTS: SQL 2005, Project+
http://www.techsterity.com
Chicago, IL
Remember: Marking helpful answers helps everyone find the info they need
quickly.
"Dobromir Todorov" wrote:
> Certificate Services do *not* support clustering. Whatever you do,
> certificates issued by a CA will have to be signed using this CA's private
> key and by definition, there should be one, secret copy of this key on a
> single server (and not a cluster).
>
> The way around this is a multitier hieararchy, as you've mentioned below. If
> you decide to go for a collapsed root/policy CA, you can install that on a
> single (preferably offline - so not on your Web farm) root server, and then
> you can install subordinate CAs on all the Web servers (yeah, I know you
> were trying to avoid this...). All certificates issued by subordinates will
> be part of the same CA hieararchy, therefore clients will trust one another.
>
> A note on load balancing: when the client returns to the Web server to
> obtain a certificate that they previously applied for, they must hit the
> same Web server. Therefore, you will have to set client affinity, and it
> needs to be such that even if the client returns after a week, she should
> still hit the same server... This is so far the trickiest bit - and I guess
> you will need to review your load balancer documentation to find out whether
> this is doable at all, as affinity typically has a limited timeout period.
>
> A note on unavailable CAs: Note, that if the CA is unavailable (not the CRL
> DP, the actual CA registration authority, so the CERTSRV pages), then users
> will simply not be able to request *new* certificates until the CA becomes
> available again. However, all issued certificates will work. Hence the
> reason why CAs are not necessarily Load Balancer and Clustering friendly.
>
> --
> ---
> HTH,
> Dobromir
>
> Visit
http://www.iamechanics.com
>
> "Ryan Hanisco" <RyanHanisco@discussions.microsoft.com> wrote in message
> news:6CDE3050-3FC3-440C-9D06-A5E689D0FD1D@microsoft.com...
> > Everyone,
> >
> > I have an environment that uses a Stand-alone CA to issue certificates to
> > remote users from a public web site using web enrollment. This cert is
> > used
> > for authentication for another web site.
> >
> > Right now I have a server farm behind load balancers, but only one of them
> > is configured as CA with the web-enrollment piece (certsrv). As you can
> > imagine, this acts as a single point of failure and means that we can't
> > use
> > the load balancers for this; we have to always go to the single server.
> >
> > I would like to put copies of Certsrv on the other web servers so that I
> > could balance these, but I am concerned with the communication between web
> > enrollment and the CA and what the configuration steps would be. I am
> > trying
> > to avoid the overhead of configuring subordinates on the other web servers
> > and issuing locally.
> >
> > Advice?
> > --
> > Ryan Hanisco
> > MCSE, MCTS: SQL 2005, Project+
> >
http://www.techsterity.com
> > Chicago, IL
> >
> > Remember: Marking helpful answers helps everyone find the info they need
> > quickly.
>
>
>