We are in the process of deploying an internal PKI with - 

• 1 standalone offline root CA
• 2 subordinate online Enterprise CAs
  

For the subordinate CAs, we don't want to run them in a Windows failover cluster for various internal reasons. However, the plan is to have both subordinate CAs online with the same certificate templates published on both of them to achieve some level of fault tolerance for issuing certificates if one of the issuing CAs is down.

I had a few questions regarding this:

1) Certificate issuance - If both subordinate CAs publish the same templates, how do clients determine which of the 2 CAs to contact to issue the certificate ?

2) Autoenrollment - I remember reading on one of these Technet forum threads that if both CAs publish the same template with autoenrollment enabled, then clients will receive 2 copies of the certificate - one from each CA. Can someone please confirm if this is the way it works with autoenrollment ?

3) Certificate renewal - If the CA that originally issued a certificate is down, then can the 2nd CA fulfill a request for certificate renewal (NOT enrolment) from a client ? (Or can renewal requests only be fulfiled by the original CA that issued the certificate ?)

4) Design - I'm new to PKI, and I was wondering if a similar design (multiple subordinate CAs with same templates) was fairly common, or if you would not recommend it for any reason.

I wanted to add - I understand that having 2 subordinate CAs will not provide for fault tolerance for the CRL of a CA, if the CRL expires when the CA is down. These questions are more directed towards fault tolerance of issuing / renewing certificates.

Thanks in advance for your help !

Regards,

Mario