Hi,
Installing two PKI with one offline root CA and 3 enterprise subCA's and associate 3 NDES servers (it's a requirement, could not convince for anything else) and make sure that the subCA's and NDES act as HA. Planning to do below, please correct me
1) Add all three sub CA's in CDP and AIA http address on the root
2) Discussion in the below link suggest assigning same template to all sub CA's. Not sure how it works?
https://social.technet.microsoft.com/Forums/en-US/e179f904-4104-4928-a847-b377c3b00303/designing-a-new-pki?forum=winserversecurity
3) This link talks about common CDP and AIA. Is this valid? or Enable Double Escaping in IIS as mentioned toward end of the fourm?
https://social.technet.microsoft.com/Forums/en-US/1dc90fb5-5fe6-40bf-81e7-4faa0dfbb8d5/add-a-second-subordinate-server-in-a-twotier-pki-hierarchy-?forum=winserversecurity
4) and/or copy CRL and CRT files between the 3 sub CA's at regular intervals using a script?
Appreciate advice.