Hi all, I would like to know from all of you, what do you think about use clustering in Certification Authorities? Do you think that it's a good idea? After a while in this forum and for other comments launched by IT people, it seems that clustering a CA (for example the issuing CA of a second Tier PKI in my case) is more expensive than useful. The CA server has the role of issuing certificate, publish CRL and is needed for the Key recovery process too. I'm really confused with this, can I think then that if I have redundancy on my CRLs it will be enough? Please help, comments, I'm not an expert on CA but I would like to get know on this. Thanks in advance.

Is there any reasons to cluster your CA?http://www.sysadmins.lv

Not now, but we are planning to add a second issuing CA in the PKI and I would like to know if it will be interesting to put it on Cluster failover mode.

This depends from your configuration. If both CA will issue certificates on the same template bulk, then you may need to cluster. If both CA will issue certificates based on different templates, you don't need to cluster your CAs. to read more about CA clustering please refer to this page:http://technet.microsoft.com/en-us/library/cc742450(WS.10).aspx http://www.sysadmins.lv

Hi Vadims,I really appreciate your answer!!!I understand it a little bit more, thanks for the link too,I was reading it beforeposting this questionhere.Understand me, its a lot of money to put a CA in cluster mode, so it's not a easy decision.Would you recomend it? Br

I said that it depends from your configuration. The questions are:1) will both CA run on Windows Server Enterprise Edition?2) will both CA issue certificates based on the same set of templates?3) will both CA located near (physically)each other?4) is there strongrequirements for CA availability?5) how much time CA can be offline?6) how much certificates per weekwill be issued by your CAs?certificate services doesn't requireso much of system resources, so clustring is justified only if particular CA will issue verybig count of certificates in short time and here are strong requirements for CA availability. In a lot of cases there is no need to cluster CA. http://www.sysadmins.lv

Hi Vadims, Good answer! clear as water. Thanks a lot.

Guess utilizing NAP and hi speed CAs could be a reason for clustering. :-D

Thanks Snorlars, I will investigate it.