question

ThisisParya-7758 avatar image
0 Votes"
ThisisParya-7758 asked ThisisParya-7758 commented

Prior Subordinate CA for some users

Hi All,
I have some sites that use internal CA server with computer template, NPS and user template.
I have two subordinate ca. Can I implement the below role and if yes how?
I want Site A use Subordinate1 and if it fails for any reason then check the Subordinate2.
and the same Site B uses Subordinate2 anf if subordinate 2 fails for any reason, users and computers check subordinate1.
Also I want to know do the both Subordinate CA replicate with eachother? (Do they have the same issued and revoked certificate)

Regards

windows-server-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered ThisisParya-7758 commented

Hi,
Welcome to ask here!

For your questions:
1, Subordinate CA replicate will not replicate with each other.

2, I want Site A use Subordinate1 and if it fails for any reason then check the Subordinate2. and the same Site B uses Subordinate2 and if subordinate 2 fails for any reason, users and computers check subordinate1.
Yes, you can complete this by enabling certificate services site awareness on each CAs.

To enable certificate services site awareness, the msPKI-Site-Name attribute must be populated for the certification authority (CA) object in the Enrollment Services container of Active Directory Domain Services (AD DS). The Enrollment Services container is in the Configuration container of AD DS under CN=Public Key Services, CN=Services,CN=Configuration,DC=<domainDistinguishedNamingContext>. For example, the following figure shows a CA named CPANDL-ECA1 has an msPKI-Site-Name attribute value of Main.

Then when enrolling for a template-based certificate, the client queries AD DS for the template and the CA objects. The client then uses a DsGetSiteName Jump function call to get its own site name. For CAs with the msPKI-Site-Name attribute already set, the certificate services client determines the AD DS site link cost from the client site to each target CA site. A DsQuerySitesByCost Jump function call is used to make this determination. The certificate services client uses the returned site costs to prioritize the CAs that allow the client the Enroll permission and support the relevant certificate template. The higher cost CAs are tried to be contacted last (only if former CAs are unavailable).
For more details, you can refer to the following link:
https://social.technet.microsoft.com/wiki/contents/articles/14106.ad-ds-site-awareness-for-ad-cs-and-pki-clients.aspx
Before changing in the product environment, you'd better do it in a test lab.

Best Regards,

· 7
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Fanfan,
It was quite complete answer and I appreciate it. But I have some more question.
I1. If I have multiple site can I assign one CA server to multiple sites?
2.if the cost of the site and services setting is the same what will happen? could I use the prioritize process again?
3. If the architecture be a Root CA and two Subordinate CA, and a client from site A grant a Certificate from SubordinateA, and after that SubordinateA is unreachable for renewing, Does SubordinateB accept the request? (if yes why it accepts the request)

Thank a million

0 Votes 0 ·

Hi,
For your questions:
I1. If I have multiple sites, can I assign one CA server to multiple sites?
Yes, of course. Just certificate services site awareness on each CA by default. (Not enabled)
2.If the cost of the site and services setting is the same what will happen? could I use the prioritize process again?
The following statements apply to the way that a certificate services client contacts the appropriate CA:

Each set of CAs that have identical costs will be ordered randomly within that set, to evenly distribute the load.
Enrollment is attempted through the lowest cost CAs (smallest numeric site cost value).
If contacting that CA fails, the next the higher cost CAs are tried.
If none of the CAs (that allow Enroll permission and publish the relevant template) are accessible or responding, the enrollment request fails.
1. If the architecture be a Root CA and two Subordinate CA, and a client from site A grant a Certificate from SubordinateA, and after that SubordinateA is unreachable for renewing,
Does SubordinateB accept the request? (if yes why it accepts the request)

I think only the CA who issued the certs can accept the renew request.
Best Regards,

0 Votes 0 ·

Hi,
I really appreciate the answers. I have some more question to deep on it.
1. if we have NPS and clients that have certificate from sub2 for some reason sub2 is poweroff what will happened to the client? they stuck in authentication because of checking CRL ?
2. if the subordinate2 be shutdown for some reason, what will happened to all the clients that using template whether computer template or NPS template or user template?




0 Votes 0 ·

Hi,
Certificates will begin to fail validation once the published Certificate Revocation List (or Delta CRL, if they're in use) expires or is inaccessible (make sure that not all of your distribution points are on the CA itself). You can configure several locations for the CRL.
More information about the CDP configuration, you can refer to:
https://social.technet.microsoft.com/wiki/contents/articles/11750.adcs-step-by-step-guide-single-tier-pki-hierarchy-deployment.aspx#Configure_the_CDP

The valid time of the CRL will depend completely on your configuration and may be anywhere from under an hour to several months.

The Enterprise PKI snap-in (pkiview.msc) is a useful resource for checking the status and expiration times of your CRLs, and you can check their configured lifetimes on the CA.
For the standard CRL:
certutil -getreg ca\crlperiodunits
certutil -getreg ca\crlperiod

And the delta:
certutil -getreg ca\crldeltaperiodunits
certutil -getreg ca\crldeltaperiod

2, As mentioned above, CERTS will be failed when the CRL expired or certs themselves expired since the CRL and the certs can't be renewed.
The important thing is to back up your CAs regularly.
If you have more questions, you may create a new thread. It will behelpful to collect more advice from users.

Best Regards,

0 Votes 0 ·

Hi,


Just checking in to see if the information provided was helpful.


If the reply helped you, please remember to accept it as an answer.
If no, please reply and tell us the current situation in order to provide further help

Best Regards,

0 Votes 0 ·

Hi FanFan,
I implemented tier two hierarchy in our organization. we have one offline root CA, two enterprise CA. one for country A and the second for country B.
I used the "msPKI-Site-Name" attribute to prioritize the ca-enterprise-countryA for users and computers in country A by adding their site names via this command
certutil -setcasites -f -config "<CAConfigName>" <SiteName>, <SiteName>
and
I used the "msPKI-Site-Name" attribute to prioritize the ca-enterprise-countryB for users and computers in country B.
the site and services setting is like below:
cacountryA is in site country A and all the sites that are prioritize are with cost 100 with the main site in countryA.
and
cacountryB is in site countryB and all the sites in that country are with cost 50.

I have now faced an issue that many computers and users in countryA sites are getting certificate from CA in countryB and vise versa.
Also, I should mention that the network has not any problem in communication.
Do u know What is wrong?

0 Votes 0 ·

Thank FanFan,
Your comments was so helpful for me.
Regards

0 Votes 0 ·
Evgenij-Smirnov avatar image
0 Votes"
Evgenij-Smirnov answered

Hi,

a CA is a unique entity so does not replicate its database with anybody else. Within an AD forest you can always publish the same set of templates to multiple CAs (I assume we're talking about Microsoft Enterprise PKI here) so that the endpoints will try them one after another until they find a working CA.

However, if you are worried about certificate validation, you can copy the CRL wherever you like. Do keep in mind though, that the paths used for validation must come from within the certifiicate itself, i.e. you cannot change them for a particular certificate after it has been issued. You could implement a common namespace for the HTTP based CDP or OCSP which will contain servers in both locations and some kind of load balancing above it. LDAP based CDP is replicated anywhere within the forest by default.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.