We have a two-tier CA infra with one issuing CA. The operating system is Windows 2008 Ent. Currently the CRL is published on issuing CA web server. Now we plan to add another CA. Q1. Can I migrate my existing issuing CA on Windows cluster CA without loss of existing certificates? If option 1 is not possible, then I assume I should add another enterprise subordinate CA. There are few questions on this: Q2. When I will have two issuing CAs, which one will publish the CRL? Q3. Currently the HTTP CDP path points to the existing issuing CA (using DNS cname entry). When there are two issuing CAs, I think we need to publish the CRL on a third server and change the cname entry in DNS to pint to that server. Please suggest if it is correct. Q4. If we publish the CRL on external web server, do we need to manually copy the CRL to external web server on regular basis? In that case which CRL do we need to copy, from IssuignServer1 or from IssuingServer2?Manoj

1) Can you please suggest some document? What I found is that server must already be in cluster before you can install any clustered service. 2) Which node will publish the CRL if the issuing servers are not in the cluster?Manoj

My CDP has single URL, pointing to existing CA. When two different CAs will publish the CRL, what shall I put in the CDP (server1 or server2 or an external web server) ?Manoj

Best practice is that you use a dns name that points to a virtual IP that is load balanced by NLB or some other Load balancing infra. So if 1 goes down, the other still can respond to the requests .This is the same general concept for a lot of high-available setups (cf. ISA, IIS, CAS, ..) I fou implement OCSP you can use these web servers to host the CRL ( for the client's who don't speak ocsp). You can use the same loadbalacing setup.

Will both the serves (Issuing1 and Issuing2) issue same CRL? If yes, then its okay. If not, then we will have two CRL names in the CDP both containing different entries. In that case, which CRL will the client refer to? Like - 6:http://crl.test.com/crl/CA1.crl 6:http://crl.test.com/crl/CA2.crl I know that in ADCS, both issuing CA use same template database configured on Configuration partition in AD. But I think Server1 can only see the certificates issued by itself (not issued by Server2). Similarly they publish different CRLs based on their own certificate database. Please correct if I am wrong. Manoj

> Will both the serves (Issuing1 and Issuing2) issue same CRL? did you read my previous posts? If CAs re not members of the same cluster, URLs (at least file names) MUST be different.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

If we take the scenario- CRL1 (Issued by CA1) contains serial nos. 1-10.CRL2 (issued by CA2) contains serial nos. 11-20.The CDP path contains two URL:6:http://crl.test.com/crl/CA1.crl6:http://crl.test.com/crl/CA2.crl Now there is a client which wants to check validity of a certificate with serial number 15. As in CDP, client finds URL of CRL1 first (containing serial 1-10 for revoked certificates) the client downloads CRL1 and finds that serial number 15 is not listed there and it will assume that the certificate with serial number 15 is still. While in fact the certificate with serial number 15 has already been revoked by CA2. Will the client check both the CRLs or only first?Manoj

Maybe I am not explaining the question in the right way but I did not find the answer in the article. Anyways, thank you for the support.Manoj