I'm new to CS and I've been doing quite a bit of research for the past couple of weeks, so please correct me if I'm off. Potential PKI configuration will be: offline root CA (ROOTCA1 in a workgroup), and two issuing CAs (CERT1 and CERT2 domain joined) with auto-enrollment GPOs. This question is somewhat answered in this link; however, I'd like to expand a bit on this. Scenario 1: If MACHINE1 gets a 1-year certificate (auto-enrollment) from CERT1, then CERT1 dies a week before MACHINE1 certificate expires. Will CERT2 renew MACHINE1's certificate?Will CERT2 handle all CRLs for CERT1 while CERT1 is offline? Scenario 2: On a day to day, will MACHINE1 contact CERT1 to update any certificate related information? If MACHINE1, does contact CERT1 on a day to day basis, what happens if CERT1 goes offline for a period of time? Will CERT2 server respond to some of these queries from MACHINE1? We're about to introduce SCCM 2012, UAG DirectAccess, RDS, and other Windows services that rely heavily on certificates and I just want to make sure that we build a healthy/capable PKI infrastructure. Thanks for your time.

Scenario 1: 1. Autoenrollment will make sure that MACHINE1 gets a "new" certificate from CERT2 replacing the expiring certificate from CERT1 2. Each CA can only handle its own CRLs Scenario 2: 1. Depending on why MACHINE1 contacts CERT1 specifically! Certificate deployment within AD is controlled using certificate templates and if the same certificate template is published on CERT1 and CERT2 the client will automatically notice that CERT1 is not responding and only CERT2 is available for that specific template. /Hasain

Scenario 1: 1. Autoenrollment will make sure that MACHINE1 gets a "new" certificate from CERT2 replacing the expiring certificate from CERT1 2. Each CA can only handle its own CRLs Scenario 2: 1. Depending on why MACHINE1 contacts CERT1 specifically! Certificate deployment within AD is controlled using certificate templates and if the same certificate template is published on CERT1 and CERT2 the client will automatically notice that CERT1 is not responding and only CERT2 is available for that specific template. /Hasain Thank you Hasain! Based on your comments, do you think having two issuing CAs (say, CERT1 and CERT2) is better for HA or will doing clustering be just as good?

The two solutions provides a comparable availability level regarding the possibility of issuing new or renewed certificates at any time. Failover clustering will provide a more continuous availability for the CA service itself providing a non-interrupted revocation and CRL generation functionality. You need to go back to your requirements to be able to decide what solution is the most suitable! /Hasain

Thanks again Hasain! Yes, we're still in brainstorming/development mode. I'm going to put something together in my lab and see how it performs. I may post something in case I run into any major difficulties. :) Thanks again.