question

VinodReddy-9009 avatar image
0 Votes"
VinodReddy-9009 asked DaisyZhou-MSFT commented

Setup an additional subCA with existing private key - PKI and NDES HA

Hi,

Installing two PKI with one offline root CA and 3 enterprise subCA's and associate 3 NDES servers (it's a requirement, could not convince for anything else) and make sure that the subCA's and NDES act as HA. Planning to do below, please correct me

1) Add all three sub CA's in CDP and AIA http address on the root
2) Discussion in the below link suggest assigning same template to all sub CA's. Not sure how it works?
https://social.technet.microsoft.com/Forums/en-US/e179f904-4104-4928-a847-b377c3b00303/designing-a-new-pki?forum=winserversecurity

3) This link talks about common CDP and AIA. Is this valid? or Enable Double Escaping in IIS as mentioned toward end of the fourm?
https://social.technet.microsoft.com/Forums/en-US/1dc90fb5-5fe6-40bf-81e7-4faa0dfbb8d5/add-a-second-subordinate-server-in-a-twotier-pki-hierarchy-?forum=winserversecurity

4) and/or copy CRL and CRT files between the 3 sub CA's at regular intervals using a script?


Appreciate advice.

windows-active-directory
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @VinodReddy-9009,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·

Hello @VinodReddy-9009,
I just want to confirm the current situations.
Please feel free to let us know if you need further assistance.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @VinodReddy-9009,

Thank you for your reply.

2.1) CDP and AIA - I have added all three Enterprise sub CA’s on each sub CA.
http://<FQDN1 of ent Sub CA>/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
FQDN 1, 2 and 3 for both CDP (crl) and AIA (crt)
- Is this OK?
A: It should be no problem, it means you put the CRL files and CRT files into multiple locations.


2.2) Should I remove all the Certificate Templates on all three sub CA’s and just add the required custom/duplicate templates? (So that PKI-old is not affected)
A: Certificate Templates are store on AD Domain Controllers instead of CA servers. I think you should not remove all the Certificate Templates on all three sub CA’s.

2.3) In the event of one data centre not available, to achieve HA, will the below steps help?
A: I suggest you can test it in your lab to see if it helps..



Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

VinodReddy-9009 avatar image
0 Votes"
VinodReddy-9009 answered VinodReddy-9009 edited

Here is my setup

(1) We already have an existing PKI hierarchy PKI-Old. I cannot remove this, that’s the current requirement.
(2) I am setting up new one “PKI-new”. This will only be used to serve NDES and HA is a requirement.

It is a two tier setup with Offline Root CA and 3 Enterprise Sub CA’s.
So:
2.1) CDP and AIA - I have added all three Enterprise sub CA’s on each sub CA.
http://<FQDN1 of ent Sub CA>/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
FQDN 1, 2 and 3 for both CDP (crl) and AIA (crt)
- Is this OK?

2.2) Should I remove all the Certificate Templates on all three sub CA’s and just add the required custom/duplicate templates? (So that PKI-old is not affected)
2.3) In the event of one data centre not available, to achieve HA, will the below steps help?
o Use same certificate template on all three CA’s
o copy the three crl’s between all three CA locations
o Configure overlap, increase the certificate revocation to maybe 7 days and publish the list every day
o and configure DNS round robin

Many thanks,
Vinod

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered VinodReddy-9009 commented

Hello @VinodReddy-9009,

Thank you for your reply.

In my lab, I install NDES on one member server instead of CA server.

You can install NDES on CA server or member server.

Can I install the NDES role on a Clustered Certification Authority?
You can install it on any of the Certification Authority cluster nodes, and then point the NDES configuration to the Clustered Certification Authority to request certificates. This will not provide service high availability or load balancing. It is recommended to install the Network Device Enrollment Service on a separate member server if you already have a clustered CA.

For more information, please refer to link below.

Network Device Enrollment Services (NDES) Frequently Asked Questions (FAQ):
https://social.technet.microsoft.com/wiki/contents/articles/12610.network-device-enrollment-services-ndes-frequently-asked-questions-faq.aspx

Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

sorry my question was not clear. NDES will be on seperate memeber servers.

I am thinking of configuring all 3 NDES servers to point to single Issuing CA and configure static phrase/password for NDES.
In this option, maybe I can copy the CRL between the CA's and manually re-point the NDES to other two CA's if anyone of the CA's fail; to achive HA?

https://ronnydejong.com/2018/03/21/microsoft-intune-introduced-high-available-ha-support-for-scep-pfx-connector/
or
https://blog.kloud.com.au/2018/01/22/updated-intune-and-ndes-reference-architecture-multiple-ndes-patterns/

Many thanks,
Vinod.

0 Votes 0 ·

Hello @VinodReddy-9009,

Thank you for your reply.

Q: In this option, maybe I can copy the CRL between the CA's and manually re-point the NDES to other two CA's if anyone of the CA's fail; to achive HA?
A: Based on my knowledge, maybe it does not achive HA. You can test in your lab to check if needed.

I am sorry, I am not an expert about Intune and Microsoft Azure topic, if you need to know more information about NDES in Intune and Microsoft Azure, I suggest you can post by selecting NDES and Intune or NDES and Azure tag if needed.

Thank you for your understanding and support.

Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·

Many thanks for your response. Need a bit more clarification on the below please as per below

0 Votes 0 ·
VinodReddy-9009 avatar image
0 Votes"
VinodReddy-9009 answered

Thanks a lot Daisy. I will go through the steps and update this post.
Also any suggestions on NDES? We need 3 NDES close to the 3 enterprise sub ca's to achieve HA. As I understand MS does not support HA for NDES?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @VinodReddy-9009,

Thank you for posting here.

Based on the description above, I understand you want to set up two-tier PKI with one offline root CA and three parallel online enterprise sub CAs.

And here are my suggestions for your references.

1) Add all three sub CA's in CDP and AIA http address on the root
A: Prepare four Windows servers, one server for offline root CA and three servers for online enterprise sub CAs.

And then deploy it based on the steps in the following link.
AD CS Step by Step Guide: Two Tier PKI Hierarchy Deployment
https://social.technet.microsoft.com/wiki/contents/articles/15037.ad-cs-step-by-step-guide-two-tier-pki-hierarchy-deployment.aspx


2) Discussion in the below link suggest assigning same template to all sub CA's. Not sure how it works?
https://social.technet.microsoft.com/Forums/en-US/e179f904-4104-4928-a847-b377c3b00303/designing-a-new-pki?forum=winserversecurity
A: Deploy two-tier PKI based on the steps in the following link, you do not need to assign template to all sub CA's.

3) This link talks about common CDP and AIA. Is this valid? or Enable Double Escaping in IIS as mentioned toward end of the fourm?
https://social.technet.microsoft.com/Forums/en-US/1dc90fb5-5fe6-40bf-81e7-4faa0dfbb8d5/add-a-second-subordinate-server-in-a-twotier-pki-hierarchy-?forum=winserversecurity

A: The common CDP and AIA is one location that you can put CRL files and CRT files in it. You can create one or more CDP and AIA locations based on your requirements.

Usually, for CDP and AIA locations, we can set up one or more locations (file, http and ldap locations).

Configure the CDP and AIA Extensions on CA1
https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-the-cdp-and-aia-extensions-on-ca1

4) and/or copy CRL and CRT files between the 3 sub CA's at regular intervals using a script?
A: For CRL and CRT files on sub CAs, you do not need to copy, because they are in the domain, for CRL and CRT files on offline root CA, you can copy using a script at regular intervals or you can copy them manually after you republish CRL and renew root CA cert (Because usually the validity period of the CRL or certificate of the root CA is relatively long).

For more information, please refer to link below.
AD CS Step by Step Guide: Two Tier PKI Hierarchy Deployment
https://social.technet.microsoft.com/wiki/contents/articles/15037.ad-cs-step-by-step-guide-two-tier-pki-hierarchy-deployment.aspx


Tip: Each of the above small steps contains a lot of operations.
It is recommended that you set up a similar CA environment in the test environment, and then record all these steps in a document if needed, and write down the key points and precautions.
If there are no problems, follow the similar the steps in the production environment, so that even if you encounter any problems in the production environment, you should be able to troubleshoot or solve them well.

Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.