windows 2008 certificate authority migration to cluster server
Hi, we run certificate authority on windows 2008 ent. We want to migrate this service to windows 2008 ent cluster. One cluster node will be the same certificate authority server. Another node will be new w2008 ent virtual server. How to migrate certificate authority to this cluster environment? thanks aurimas
December 15th, 2010 8:03am

You would use the same methods as creating a new CA cluster. The catch will be that the service name will change to a new name during the completion of the CA build. For example, I typically use naming like this: CANode1.example.com == > First Node CANode2.example.com ==> Second Node Cluster.example.com == > Cluster name for management of cluster CACluster.example.com == > CertSvc application Name In your case, you probably have named the first node something like CA.example.com, which is fine When you are done with the cluster build, the configuration name that you will be connecting to will be CACluster.example.com though, rather than ca.example.com For details, see the clustering whitepaper: http://go.microsoft.com/fwlink/?LinkId=118364 Brian
Free Windows Admin Tool Kit Click here and download it now
December 15th, 2010 8:55am

should we backup and uninstall current CA and then reinstall it again fallowing this http://technet.microsoft.com/en-us/library/cc742450(WS.10).aspx#BKMK_SetUpFailover also how much of storage we need for ca cluster? thanks aurimas
December 15th, 2010 9:45am

You probably should back up and reinstall, as you will have to move the CA database to the clustered disk (and the logs too). For storage, the answer is "it depends" . The variables include: - How many certificates to do you plan to issue - Will all certificates be stored in the CA database (for example, NAP certificates could be marked to not be stored) - Will any certificates have archived private key - The key length of the certificates issued A general rule of thumb is that every certificate that you issue requires 17 kilobytes (KB) in the database and 15 KB in the log file. (http://technet.microsoft.com/en-us/library/cc778985(WS.10).aspx), but this amount will increase if keys are archived, or longer key pairs are included in the issued certificates I would plan on using SAN storage space that can be increased if need be in the future. Brian
Free Windows Admin Tool Kit Click here and download it now
December 15th, 2010 11:08am

thank Brian for answer, and if we migrate to CA cluster and change the name of certificate authority as a service, does the already issued certificates become invalid? thnaks aurimas
December 16th, 2010 3:06am

No, because you are changing the name of the machine hosting the CA service to a virtual machine. The CAName remains SOMECompany Issuing CA 1 and continues to use the same key pair for signing the certificates and the base/delta CRLs Brian
Free Windows Admin Tool Kit Click here and download it now
December 16th, 2010 8:07am

so now we have one CA server: CA1.comp.com. I installed new computer as the second node: CA2.comp.com. If I create server cluster of CA1.comp.com and CA2.comp.com nodes as a new CA cluster server CAcluster.comp.com. Is this the right way to install CA cluster? thanks aurimas
December 17th, 2010 3:18am

Very very simplified, but you are correct. The configuration would then be known as CACluster.comp.com\Corporate Issuing CA Brian
Free Windows Admin Tool Kit Click here and download it now
December 17th, 2010 12:56pm

but if we change the name of enterprise CA already issued certificates wont be working anymore, should't we keep same old Certificate Authority name? thanks aurimas
December 20th, 2010 4:21am

The logical name of the CA remains the same "Issuing CA 1". You are effectively adding another DNS name to reference the CA. What I recommend is working through either the whitepaper or the chapter in my PKI book in a test lab. You will then see how everything comes together. Brian
Free Windows Admin Tool Kit Click here and download it now
December 21st, 2010 10:18pm

hi, I migrated CA service to cluster using MS instructions, now I want to request certificate with client PC (windows 7) (loged on as Enterprise administrator). But I get error: The revocation function was unable to check revocation because the revocation server was offline. I started PKIView and all LDAP lines are ok, http failed. Is any way to solve this? thanks aurimas
January 5th, 2011 8:12am

It sounds like you still have some more changes to perform with the rename of the CA to the clusteredCA name. Remember that after you rename, the certificate files names will change from node_CAName.crt to Cluster_CAName.crt You will have to make sure that the CA is correctly configured. As for the HTTP, make sure that the URLs referenced in the most recent certificate work. Bottom line, you must be able to copy the URL into a browser and download both the AIA and CDP objects. Work on the actual file names and be sure that they match. You are really close to having this solved! Brian
Free Windows Admin Tool Kit Click here and download it now
January 5th, 2011 2:30pm

Thanks, Brian, Today I loged on the client computer and I was able to enroll certificates from the clustered CA. Web enrollemnt service is not installed on the nodes so i guess hht enrollment should not work. So now the problem I remain is that we can not enroll certificate for domain controller. Is any way to solve this? thanks aurimas
January 10th, 2011 6:43am

Thanks, Brian, I loged on the client computer and I was able to enroll certificates from the clustered CA. Web enrollemnt service is not installed on the nodes so i guess hht enrollment should not work. So now the problem I remain is that we can not enroll certificate for domain controller. Is any way to solve this? thanks aurimas
Free Windows Admin Tool Kit Click here and download it now
January 10th, 2011 2:39pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics