Contents
Clustering the certification authority. 3
Lab environment 3
Prerequisites specific to Contoso. 3
Understanding naming conventions in certification authority clustering. 4
Action Items. 4
Move the certification authority database to shared disk. 4
Verify the certification authority’s new database and log location. 5
Install Active Directory Services on the second CA cluster node. 5
Verify and Document the Active Directory Certificate Services (ADCS) DNS Name. 5
Stop Active Directory Certificate Services on Node1. 5
Confirm that the shared disk is available to Node2. 6
Confirm that the network HSM is available to Node2. 6
Import the CA certificate into the local computer certificate store. 6
Associate the CA certificate with the key material stored in an HSM.. 6
Install the certification authority role on Node2. 6
Setup failover clustering. 7
Setup failover clustering on Node1 and Node2. 7
Configure ADCS as a cluster resource. 8
Create a dependency between the certification authority and the Network HSM service. 9
Post configuration tasks in Active Directory Domain Services (ADDS) 9
Enable both cluster nodes to update the CA certificate when required. 9
Give both nodes permissions on the Enrollment container 9
Give both nodes permissions on the KRA container 10
Adjust the certification authority’s DNS Name in Active Directory Domain Services (ADDS) 10
Adjust the certification authority’s DNS name in any application requesting certificates from the original node. 10
Copy CAPolicy.inf file from original node Node1 to passive node Node2. 11
This document details the required steps to cluster an existing certification authority running on Windows Server 2008 R2 Enterprise Edition to provide fault tolerance and high availability for the service. This document was tested in a lab environment and should be tested in a development environment.
The document assumes certain prerequisites and highlights risks associated with clustering a certification authority. The sections are divided into task required to achieve this goal. Some tasks such as configuring the Hardware Security Module (HSM) are added with minor detail to this document because they are carried out by the organization’s IT Security team.
Active Directory Domain: Contoso.com
Certification Authority: Active Directory Certificate Services is installed and configured on a member server Node1.contoso.com
Certification Authority Name: The certification authority’s sanitized name is Contoso Issuing CA
Additional Servers: Node2.contoso.com is the new Active Directory Certificate Services server joined to domain, with the exact build, patch and driver levels as Node1.contoso.com. The server will be configured as the second node in a certification authority cluster
Distribution Points: The CRL and AIA distribution points are pointing to a member server, and decoupled from the certification authority
Contoso will configure enterprise issuing certification authorities and then configure them in a certification authority cluster when the additional nodes are provisioned. The following prerequisites should be in place before attempting certification authority clustering
Before you begin, you should plan the names to use during the installation procedure. It is important to properly define these names because they are used throughout the configuration.
The following named items are used in the subsequent sections and step-by-step procedures.
Cluster node: This represents the computer’s host name participating in the cluster. In this document, the cluster nodes refer to Node1.contoso.com and Node2.contoso.com. Both nodes are permitted access to the Authority Information Access (AIA) – CAName, Enrollment Services - CAName, and KRA - CAName objects in Active Directory using Access Control Lists (ACLs). As an example, both nodes Node1 and Node2 are permitted to update the Contoso Issuing CA object in the AIA, Enrollment Services, and KRA containers in Active Directory by giving them full control access.
Cluster: The failover cluster has a unique name that is registered in Active Directory Domain Services (ADDS) and Domain Name Services (DNS). This name refers to the cluster name in the failover cluster management snap-in and not the clustered certification authority. There is no dependency between the cluster configuration and the clustered certification authority. In this document, the cluster name is cluster. Contoso can choose any name to refer to the cluster name. The cluster name is registered in Active Directory and DNS automatically when it is created by an enterprise administrator
Service: The service name represents the Domain Name System (DNS) of the clustered CA service, and should be determined before configuring the cluster. This name is independent of the cluster name mentioned earlier. In this document, the service name is ADCS.contoso.com
Registry Key
Old Value
New Value
DBDirectory
C:\Windows\System32\Certlog
R:\Certlog
DBLogDirectory
R:\CertLog
DBSystemDirectory
DBTempDirectory
This section explains how to set up the second cluster node. The configuration of the second node is slightly different from the first node. Some configuration settings are already defined on the first node so they only need to be applied on the second node.
The configuration of the second node includes the following tasks:
The following procedure describes these tasks in greater detail.
Determine the fully qualified domain name (FQDN) to use for the Certification Authority cluster service name. In this document is it ADCS.contoso.com.
This step should be reviewed by the Contoso’s team to follow the procedures required by the HSM vendor to retrieve the key and its associated certificate
This step should be reviewed by the Well Fargo team to follow procedure required by the HSM vendor to associate the CA’s certificate with the key material and the new node Node2
|Note: if you change the path to the shared disk, then you will overwrite the contents of the database and logs. This in turn will create an empty database. You will change the path in the registry to point to the original database
|Note: Make sure all cluster verification tests complete with The Test Passed results before you proceed
You need to complete three procedures to configure the CA in AD DS:
When the CA service was installed on the first cluster node, it created the Enrollment Services object and put its own fully qualified domain name (FQDN) into that object. Since the CA can operate on both cluster nodes, the DNS host name of the Enrollment Services object needs to be changed to the service name of the CA configured in Configure ADCS as a cluster resource
Any system requesting certificates programmatically from the original certification authority node needs to update the dNSHostName property to request certificates from the clustered CA service name configured in Configure ADCS as a cluster resource
This step is required to ensure the certification autority’s renewal settings are the same regardless of which node initiated the request.