Hey all, We are setting up a system where we will offer client certs to users of our web service. We have two data centers, one primary and one failover. I have set up an offline root and an issuer in each datacenter. We semi regularly switch services to the other datacenter to run for some time during maintenance or other events and of course it is there for disaster recovery. Given that, we could be in either datacenter when we need to turn up a new web client cert. Given the shared root, I can issue a client cert from either issuing ca and it will be accepted by the web servers in either datacenter. This requires access to the CRL, which we will manage either by copying the crls over 'manually' or by adding a crl access point into the cert that speaks directly to the other dc. Suggestions on the best way to do this are appreciated but not the focus of my question. My question is, is a significant event, we could lose one of the issuing servers. At the end of the published CRL, we would lose all the certs issued by that ca. From a security standpoint we don't to turn off crl checking (or make the expiration so long so as to achieve the same thing). I am looking at options. 1. Restore a backup to a new server. This would require rebuilding the domain and the server (assuming a complete loss of the datacenter). Is this possible in the event that the domain is gone (the two datacenters do not share an AD forest) 2. Turn off CRL checking (not really a good option) 3. I have seen some mention of using the 'down' CA's private key to resign and extend the CRLs but haven't seen details as to how to do that? 4. I think there must be a better way. How do people generally address this? Thanks ej -- cornasdf - http://cornasdf.blogspot.com

Hi, My suggestion is to restore the server from backup. Another option could be to set up a cluster environment. For details, please see http://technet.microsoft.com/en-us/library/cc742424(WS.10).aspxThis posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

in my understanding, geo-clustering would require a shared domain (non geo clustering doesn't address the issue). That isn't possible between our prod and dr sites. Restoring the server as backup would, in a worst case such as a full datacenter loss, require a rebuild of the AD since these CAs are enterprise CAs. But it seems to be all I have at this point. We are setting our CRL period and delta period to decently aggressive but have upded our overlap period to give us more time to mitigate the disaster. This will allow us to get revocation out in a timely matter but give us some breathing room if the sh*t hits the fan. also, i found the article that discusses re-publishing the CRL from a down server. http://technet.microsoft.com/en-us/library/cc782041%28WS.10%29.aspx I still think there must be a better way.-- cornasdf - http://cornasdf.blogspot.com