Certsrv on a remote server

  • Thread starter Thread starter Ryan Hanisco
  • Start date Start date
R

Ryan Hanisco

Everyone,

I have an environment that uses a Stand-alone CA to issue certificates to
remote users from a public web site using web enrollment. This cert is used
for authentication for another web site.

Right now I have a server farm behind load balancers, but only one of them
is configured as CA with the web-enrollment piece (certsrv). As you can
imagine, this acts as a single point of failure and means that we can't use
the load balancers for this we have to always go to the single server.

I would like to put copies of Certsrv on the other web servers so that I
could balance these, but I am concerned with the communication between web
enrollment and the CA and what the configuration steps would be. I am trying
to avoid the overhead of configuring subordinates on the other web servers
and issuing locally.

Advice?
--
Ryan Hanisco
MCSE, MCTS: SQL 2005, Project+
http://www.techsterity.com
Chicago, IL

Remember: Marking helpful answers helps everyone find the info they need
quickly.
 
Certificate Services do *not* support clustering. Whatever you do,
certificates issued by a CA will have to be signed using this CA's private
key and by definition, there should be one, secret copy of this key on a
single server (and not a cluster).

The way around this is a multitier hieararchy, as you've mentioned below. If
you decide to go for a collapsed root/policy CA, you can install that on a
single (preferably offline - so not on your Web farm) root server, and then
you can install subordinate CAs on all the Web servers (yeah, I know you
were trying to avoid this...). All certificates issued by subordinates will
be part of the same CA hieararchy, therefore clients will trust one another.

A note on load balancing: when the client returns to the Web server to
obtain a certificate that they previously applied for, they must hit the
same Web server. Therefore, you will have to set client affinity, and it
needs to be such that even if the client returns after a week, she should
still hit the same server... This is so far the trickiest bit - and I guess
you will need to review your load balancer documentation to find out whether
this is doable at all, as affinity typically has a limited timeout period.

A note on unavailable CAs: Note, that if the CA is unavailable (not the CRL
DP, the actual CA registration authority, so the CERTSRV pages), then users
will simply not be able to request *new* certificates until the CA becomes
available again. However, all issued certificates will work. Hence the
reason why CAs are not necessarily Load Balancer and Clustering friendly.

--
---
HTH,
Dobromir

Visit http://www.iamechanics.com

"Ryan Hanisco" <RyanHanisco@discussions.microsoft.com> wrote in message
news:6CDE3050-3FC3-440C-9D06-A5E689D0FD1D@microsoft.com...
> Everyone,
>
> I have an environment that uses a Stand-alone CA to issue certificates to
> remote users from a public web site using web enrollment. This cert is
> used
> for authentication for another web site.
>
> Right now I have a server farm behind load balancers, but only one of them
> is configured as CA with the web-enrollment piece (certsrv). As you can
> imagine, this acts as a single point of failure and means that we can't
> use
> the load balancers for this we have to always go to the single server.
>
> I would like to put copies of Certsrv on the other web servers so that I
> could balance these, but I am concerned with the communication between web
> enrollment and the CA and what the configuration steps would be. I am
> trying
> to avoid the overhead of configuring subordinates on the other web servers
> and issuing locally.
>
> Advice?
> --
> Ryan Hanisco
> MCSE, MCTS: SQL 2005, Project+
> http://www.techsterity.com
> Chicago, IL
>
> Remember: Marking helpful answers helps everyone find the info they need
> quickly.
 
Just a heads up for futures reference:
You can cluster Certificate Services on Windows Server 2008, Enterprise
Edition.
Not the Web enrollment pages, but the CA itself.
Brian

"Dobromir Todorov" <dtodorov@msn.com> wrote in message
news:%23I5c15QbIHA.5400@TK2MSFTNGP03.phx.gbl...
> Certificate Services do *not* support clustering. Whatever you do,
> certificates issued by a CA will have to be signed using this CA's private
> key and by definition, there should be one, secret copy of this key on a
> single server (and not a cluster).
>
> The way around this is a multitier hieararchy, as you've mentioned below.
> If you decide to go for a collapsed root/policy CA, you can install that
> on a single (preferably offline - so not on your Web farm) root server,
> and then you can install subordinate CAs on all the Web servers (yeah, I
> know you were trying to avoid this...). All certificates issued by
> subordinates will be part of the same CA hieararchy, therefore clients
> will trust one another.
>
> A note on load balancing: when the client returns to the Web server to
> obtain a certificate that they previously applied for, they must hit the
> same Web server. Therefore, you will have to set client affinity, and it
> needs to be such that even if the client returns after a week, she should
> still hit the same server... This is so far the trickiest bit - and I
> guess you will need to review your load balancer documentation to find out
> whether this is doable at all, as affinity typically has a limited timeout
> period.
>
> A note on unavailable CAs: Note, that if the CA is unavailable (not the
> CRL DP, the actual CA registration authority, so the CERTSRV pages), then
> users will simply not be able to request *new* certificates until the CA
> becomes available again. However, all issued certificates will work. Hence
> the reason why CAs are not necessarily Load Balancer and Clustering
> friendly.
>
> --
> ---
> HTH,
> Dobromir
>
> Visit http://www.iamechanics.com
>
> "Ryan Hanisco" <RyanHanisco@discussions.microsoft.com> wrote in message
> news:6CDE3050-3FC3-440C-9D06-A5E689D0FD1D@microsoft.com...
>> Everyone,
>>
>> I have an environment that uses a Stand-alone CA to issue certificates to
>> remote users from a public web site using web enrollment. This cert is
>> used
>> for authentication for another web site.
>>
>> Right now I have a server farm behind load balancers, but only one of
>> them
>> is configured as CA with the web-enrollment piece (certsrv). As you can
>> imagine, this acts as a single point of failure and means that we can't
>> use
>> the load balancers for this we have to always go to the single server.
>>
>> I would like to put copies of Certsrv on the other web servers so that I
>> could balance these, but I am concerned with the communication between
>> web
>> enrollment and the CA and what the configuration steps would be. I am
>> trying
>> to avoid the overhead of configuring subordinates on the other web
>> servers
>> and issuing locally.
>>
>> Advice?
>> --
>> Ryan Hanisco
>> MCSE, MCTS: SQL 2005, Project+
>> http://www.techsterity.com
>> Chicago, IL
>>
>> Remember: Marking helpful answers helps everyone find the info they need
>> quickly.
>
>
 
Dobromir,

Thanks for confirming that. I had kind of resigned myself to the fact that
I would need to build out the CA structure to support this.

As to the certs re-registering, this will not be an issue as the business
requirements are to "permanently" brand a machine as being valid to interact
with the site. This means issuing a very long duration. This should get it
done.

Thanks so much for your feedback. You too, Brian.
--
Ryan Hanisco
MCSE, MCTS: SQL 2005, Project+
http://www.techsterity.com
Chicago, IL

Remember: Marking helpful answers helps everyone find the info they need
quickly.


"Dobromir Todorov" wrote:

> Certificate Services do *not* support clustering. Whatever you do,
> certificates issued by a CA will have to be signed using this CA's private
> key and by definition, there should be one, secret copy of this key on a
> single server (and not a cluster).
>
> The way around this is a multitier hieararchy, as you've mentioned below. If
> you decide to go for a collapsed root/policy CA, you can install that on a
> single (preferably offline - so not on your Web farm) root server, and then
> you can install subordinate CAs on all the Web servers (yeah, I know you
> were trying to avoid this...). All certificates issued by subordinates will
> be part of the same CA hieararchy, therefore clients will trust one another.
>
> A note on load balancing: when the client returns to the Web server to
> obtain a certificate that they previously applied for, they must hit the
> same Web server. Therefore, you will have to set client affinity, and it
> needs to be such that even if the client returns after a week, she should
> still hit the same server... This is so far the trickiest bit - and I guess
> you will need to review your load balancer documentation to find out whether
> this is doable at all, as affinity typically has a limited timeout period.
>
> A note on unavailable CAs: Note, that if the CA is unavailable (not the CRL
> DP, the actual CA registration authority, so the CERTSRV pages), then users
> will simply not be able to request *new* certificates until the CA becomes
> available again. However, all issued certificates will work. Hence the
> reason why CAs are not necessarily Load Balancer and Clustering friendly.
>
> --
> ---
> HTH,
> Dobromir
>
> Visit http://www.iamechanics.com
>
> "Ryan Hanisco" <RyanHanisco@discussions.microsoft.com> wrote in message
> news:6CDE3050-3FC3-440C-9D06-A5E689D0FD1D@microsoft.com...
> > Everyone,
> >
> > I have an environment that uses a Stand-alone CA to issue certificates to
> > remote users from a public web site using web enrollment. This cert is
> > used
> > for authentication for another web site.
> >
> > Right now I have a server farm behind load balancers, but only one of them
> > is configured as CA with the web-enrollment piece (certsrv). As you can
> > imagine, this acts as a single point of failure and means that we can't
> > use
> > the load balancers for this we have to always go to the single server.
> >
> > I would like to put copies of Certsrv on the other web servers so that I
> > could balance these, but I am concerned with the communication between web
> > enrollment and the CA and what the configuration steps would be. I am
> > trying
> > to avoid the overhead of configuring subordinates on the other web servers
> > and issuing locally.
> >
> > Advice?
> > --
> > Ryan Hanisco
> > MCSE, MCTS: SQL 2005, Project+
> > http://www.techsterity.com
> > Chicago, IL
> >
> > Remember: Marking helpful answers helps everyone find the info they need
> > quickly.
>
>
>
 
Back
Top