Table of Contents Applies To:ScopeWindows Versions That Support Certificate Services ClusteringCluster RequirementsSupported Deployment ScenariosPreparing the CA Cluster Environment Installing the Operating System on Cluster NodesSetting Up a Shared StorageConfiguring a Network HSMInstalling and Configuring the CA Cluster Understanding Names Used in a Cluster ConfigurationSetting Up the CA Server Role on additional Cluster Node sSetting Up the Failover Cluster Feature on Cluster NodesCreating a Failover ClusterConfiguring the Failover ClusterConfiguring the CRL Distribution PointCreating the CRL Objects in Active DirectoryConfiguring the CA in Active DirectoryAdjusting the DNS Name for the CA in Active DirectoryCertification Authority RenewalsTroubleshooting
With Microsoft Windows Server 2003 and earlier versions, multiple CAs had to be deployed into an infrastructure to achieve redundancy of certificate services.
While you can still have multiple CAs operating in your Active Directory forest, with failover clustering, there is no need to deploy more than one CA to protect certificate services from unexpected failure.
This guide describes the steps required to set up failover clustering starting with Windows Server 2008 and to deploy a CA on shared storage with or without a network hardware security module (HSM).
Shared storage is always a requirement for Failover Clustering. The network HSM ensures strong protection of the CA key material and represents a shared key store at the same time. The active node can always connect to the network HSM regardless of which physical node the cluster runs on.
Clustering support for certificate services is provided by the following versions of Windows.
To run certificate services in a clustered environment, you must understand the prerequisites and under what circumstances a CA cluster is supported.
Deploying AD CS on a failover cluster can accomplish a number of goals for customer environments. These goals are often determined by existing certificate services servers in an environment. There are a number of ways in which a failover cluster can be deployed.
This section focuses on the preparation of the environment for Certificate Services Cluster.
To prepare the cluster nodes, you have to install Windows Server 2008 or Windows Server 2008 R2, Enterprise Edition or Windows Server "8" Beta on all cluster nodes. Deploying a failover cluster requires all cluster nodes to run the same operating system version.
Configuring shared storage can be a complex task. This guide does not provide detailed information about how to configure the shared storage. To set up a shared storage disk for certificate services, see the configuration procedures that apply for your shared storage solution.
Plan the size of the shared storage appropriately for the number of certificates you plan to enroll. 64 KB is a safe estimation for a single certificate, including the certificate request and possibly a recover key.
The configuration of a network HSM is specific to the configuration guidelines of the vendor. Since no common setup procedure exists, it is not addressed in this guide.
To make a network HSM available to your CA cluster, follow the steps in the documentation provided by the network HSM vendor.
The following sections describe the installation and configuration of a CA on a failover cluster running on Windows Server 2008, or Windows Server 2008 R2, or Windows Server "8" Beta.
Before you begin, you should think about the names that are used during the installation procedure. It is important to have these names properly defined since they are used throughout the configuration.
The following table explains the names that are used in the subsequent sections. The step-by-step guidance refers to the underlined labels in the following list.
Cluster node name
Cluster name
Service name
CA name
The following screenshots show where the names appear in the Failover Cluster Management Snap-in and in the Certification Authority Administration Snap-in. For illustration purposes, the objects are labeled according to the names described previously.
Setting Up the CA Server Role on the First Cluster Node
This section explains how to install certificate services on the first cluster node.
It is important to understand that the shared resources, like the disk storage that keeps the CA database and log file, must be available to the CA during setup. Releasing these resources for setting up the second node is also important after the setup of this node is finished.
Here are the steps to configure the first cluster node.
The next steps describe how to confirm that the shared disk is available to the node.
If you are using a network HSM, to confirm that a network HSM is available to the first node
Now, you are going to install the Certificate Services on the first node.
10. Select the CA type for the CA and click Next.
11. Select Create a new private key and click Next.
12. Enter the CA name and click Next. For more information about the CA name, see “Understanding Names Used in a Cluster Configuration”.
13. If you are configuring a root CA, define the validity period. If using a subordinate CA, choose whether to submit the request online or save it to a file. Click Next.
14. Change the default paths for the database and log files to the desired location on the shared storage drive setup in “Setting Up a Shared Storage”. Click Next. 15. Click Install.
As a next step, the CA certificate must be exported.
16. Click the Start button, point to Run, type certsrv.msc, and then click OK. Note: On Windows Server "8" Beta, run the command in Windows PowerShell.
17. Select the CA node in the left pane.
18. On the Action menu, click All Tasks, and then click Backup CA.
19. On the Welcome page of the CA backup wizard, click Next.
20. Select Private key and CA certificate and provide a directory name where you want to temporarily store the CA certificate and optionally the key. Click Next.
21. Provide a password to protect the CA key and click Next.
22. Click Finish.
If you are using a network HSM, a warning message will display telling you that the private key cannot be exported. This is expected behavior because the private key will never leave the HSM. Click OK to continue.
The CA service must be shut down to unlock the disk resources.
23. While the CA is selected in the left pane, on the Action menu, click All Tasks, and then click Stop Service. 24. Close the Certification Authority MMC Snap in.
Detach the shared storage from the cluster node.
25. Go to the Server Manager MMC Snap-in, expand the Storage node, and then select Disk Management.
26. Change the state of the disk keeping the CA database to offline.
Release the HSM from the cluster node.
27. Log off Cluster node one.
The installation of the Certification Authority on the first node is now complete.
This section explains how to set up any additional cluster nodes.
The configuration of the additional nodes is slightly different from the first node. Some configuration settings are already defined on the first node so they only need to be applied on the other nodes. Install the CA on another cluster node. Log on to the cluster node with permissions to install the cluster node as previously explained.
Confirm the shared disk available to the cluster node.
If you are using a network HSM, to confirm that a network HSM is available to the node
Importing the CA certificate into the local machine certificate store.
certutil –repairstore –csp “{CSP Providername}” My "{Serialnumber}"
and then press ENTER.
For example: certutil –repairstore My "629bdaba68590bbd488c78e0ac57bc2b"
Installing Certificate Services on the node
1. Return to Server Manager. 2. In the left pane, select the Roles node. 3. On the Action menu, click Add Roles. 4. On the Select Server Roles page, mark Active Directory Certificate Services and click Next twice. 5. On the Select Role Services page, make sure that only Certification Authority is marked and click Next. No CA service other than the CA is supported in a clustered environment. 6. Select the exact same setup type for the CA that you used for the first node and click Next. 7. Select the exact same CA type for the CA that you used for the first node and click Next. 8. Select Use existing private key, choose Select a certificate and use its associated private key, then click Next. 9. Select the CA certificate that was generated on the first node and click Next. 10. Change the default paths for the database. In the dialog box stating that an existing database was found, select Yes to overwrite it. 11. Change the default paths for the database log location. In the dialog box stating that an existing database was found, select Yes to overwrite it. Click Next to continue. 12. Click Install. 13. To finish the Role installation, click Close. 14. Log off from the cluster node.
The Failover Cluster support is a feature in Windows Server 2008 Enterprise and Datacenter Edition.
Repeat the following steps on all cluster nodes that will potentially run the Active Directory Certificate Services.
10. Provide the cluster name. This name is not relevant for the later CA configuration. For more information about the CA name, see “Understanding Names Used in a Cluster Configuration”.
11. View the cluster creating report and click Finish.
Certificate services must be configured as a cluster resource.
10. Click Finish to complete the failover configuration for certificate services.
11. In the left pane, expand the Services and Applications node and select the newly created clustered service.
12. In the middle pane, select Generic Service. On the Action menu, click Properties.
13. Change the Resource Name to Certification Authority and click OK.
At this stage, you can move the certification authority between all nodes.
If you have installed a service to access the network HSM, it is recommended that you create a dependency between the CA and the network HSM service. To configure this dependency, follow these optional steps:
The CA configuration tasks should always be performed on the active cluster node.
In the default CA configuration, the server’s short name is used as part of the CRL and AIA path. When a CA is running on a failover cluster, the server’s short name must be replaced with the cluster’s name in the CRL and AIA Uniform Resource Locator (URL).
You must restart the CA service after changing the CRL and AIA.
Follow these steps to make changes to the CRL and AIA URLs:
net stop certsvc && net start certsvc
and press ENTER to restart the CA service.
certutil -CRL
and press ENTER to update the CRL with the new settings applied previously.
The CRL container has to be created in Active Directory manually, and the CRL must be published manually.
To create the CRL container, use the certutil command with the –f option and execute the command as Enterprise Admin.
cd %WINDIR%\System32\CertSrv\CertEnroll
and press ENTER.
certutil -f -dspublish {CRLfile}
For example: certutil -f -dspublish "CA Cluster.crl"
You can perform the following tasks using any computer in your Active Directory forest where the Active Directory Sites and Services MMC Snap-in and ADSI Edit are installed. To install both tools on Windows Server 2008, add the Active Directory Domain Services feature from the Remote Server Administration Tools to your server with Server Manager. The AIA object in Active Directory stores the CA’s certificate.
To enable all cluster nodes to update the CA certificate when required, perform the following steps:
10. Click Object Types, select Computers, and then click OK.
11. Type the computer name(s) of the other cluster node(s) as the object name and click OK.
12. Make sure that the computer accounts of all cluster nodes have Full Control permissions.
13. Click OK.
All cluster nodes also have to be permitted on the Enrollment Services container.
14. In the left pane, select Enrollment Services.
15. In the middle pane, select the CA name.
16. On the Action menu, select Properties.
17. Click the Security tab.
18. Click Add.
19. Click Object Types, select Computers, and click OK.
20. Type the computer name(s) of the other cluster node(s) as the object name and click OK.
21. Make sure that the computer accounts of all cluster nodes have Full Control permissions.
22. Click OK.
Finally, you must permit all cluster nodes on the KRA container.
23. In the left pane, select KRA.
24. In the middle pane, select the CA name.
25. On the Action menu, select Properties.
26. Click the Security tab.
27. Click Add.
28. Click Object Types, select Computers, and then click OK.
29. Type the computer name of another cluster node as object name and click OK. Repeat for all other nodes in the cluster.
30. Make sure that the computer accounts of all cluster nodes have Full Control permissions.
31. Click OK.
32. Close the Sites and Services MMC Snap-in.
When the CA service was installed on the first cluster node, it created the Enrollment Services object and put its own fully qualified domain name (FQDN) into that object. Since the CA can operate on any of the cluster nodes, the dNSHostName of the Enrollment Services object needs to be changed to the service name of the CA.
Follow these steps to change the dnsHostName.
When the clustered Certification Authority renews its own certificate, all nodes in the cluster must be updated with the renew certificate information. This will occur as part of the regular maintenance process of the Certification Authorities as well as when any infrastructure or security requirements dictate the renewal.
Follow these steps to renew the CA certificate and update the cluster nodes with the new CA key.
Renew the CA Certificate and export the Certificate and Private key.
10. In the right pane, open CACertHash for editing.
11. Add the certificate thumbprint to the bottom of the existing values in the key.
12. Use the Cluster Administration tool to take the ADCS service resource offline and then back online to commit changes to the shared storage.
13. Click the Start button, point to Run, type certsrv.msc, and then click OK.
14. Select the CA node in the left pane.
15. On the Action menu, click All Tasks, click Backup CA.
16. On the Welcome page of the CA backup wizard, click Next.
17. Select Private key and CA certificate and provide a directory name where you want to temporarily store the CA certificate and optionally the key. Click Next.
18. Provide a password to protect the CA key and click Next. 19. Click Finish.
Importing the CA certificate into the local machine certificate store on other cluster nodes.
20. Copy the previously exported CA certificate to the cluster node.
21. Click the Start button, point to Run, type mmc, and then click OK.
22. On the File menu, click Add/remove MMC Snap-in.
23. Select Certificates from the list of available snap-ins and click Add.
24. Select Computer account, click Finish twice, and then, click OK.
25. In the Certificate Manager MMC Snap-in, expand the Certificates (Local Computer) node and select the Personal store.
26. On the Action menu, click All Tasks, and then click Import.
27. In the Certificate Import Wizard, click Next.
28. Enter the file name of the CA certificate that was previously created on the first node and click Next. If you use the Browse button to find the certificate, change the file type to Personal Information Exchange (*.pfx,*.p12).
29. Type the password that you have previously used to protect the private key. The password is required even if there is no private key in the PFX file. Do not mark this key as exportable. Click Next.
30. Place the certificate in the Personal certificate store and click Next.
31. To import the certificate, click Finish. 32. To confirm the successful import, click OK.
Repeat as needed for all nodes in the cluster that could potentially run the ADCS resource.
Following the migration of a Windows Server 2003 Certification Authority to a Windows Server 2008 Failover cluster, Active Directory Certificate Services fails to start and the event log shows Event ID 17 – CertificationAuthority.
This error can be caused when the ADCS database is marked for restore operations. Verify that the RestoreInProgress does not exist in the Registry Key HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration. If it does, note the cluster node owning the ADCS resource in the Cluster Administrator tool, remove the RestoreInProgress key on the node owning the service, and restart the cluster ADCS resource.
Certification Authority Web Enrollment does not work properly on a Windows Server 2008 Failover cluster if the ADCS service is also installed on the same cluster node.
If the Certification Authority is on the same node that the Web Enrollment feature is installed on, the node’s DNS name is used in the Web Enrollment certdat.inc file. If the CA is not on the same node, the problem does not occur.
The issue is resolved by modifying the %systemroot%\system32\certsrv\certdat.inc file to change the value of sServerConfig to “<Service name>\<CA name>”
Example - Certdat.inc file entry.
The two cluster nodes: NODE****117 and NODE****118
The certdat.inc files has the entries of
sServerConfig="NODE****117.contoso.com\CONTOSOENTCA1" and sServerConfig="NODE****118.contoso.com\CONTOSOENTCA1"
Remove all but one sServerConfig line and change the remaining line to:
sServerConfig=”CLUSTER1.contoso.com\CONTOSOENTCA1” where CLUSTER1.contoso.com is the FQDN of the virtual ADCS cluster name.