Not, I think, in exactly the way you describe. I think what you want to do, in maintaining the 2-tier architecture, is to fire up the root CA, configure/install the new 2nd-tier CA and get it its own cert, and publish the CRLs, and then you can shut down the root CA. That is, until it's time to issue the updated root cert and 2nd tier certs.
Kurt On Tue, Nov 11, 2014 at 3:48 PM, Ryan Shugart <[email protected]> wrote: > Thanks everyone. So if I’m understanding right, the root CA can be shut > down with no issues, and I can just bring up new issuing servers in our DR > site and they’ll work along side the ones at our main site? > > Thanks. > > Ryan > > > > From: [email protected] [mailto:[email protected]] > On Behalf Of Michael B. Smith > Sent: Tuesday, November 11, 2014 11:55 AM > To: [email protected] > Subject: [NTSysADM] RE: making ADCS resilient > > > > I advise my clients to only have the root server online when they are > bringing up new DCs or renewing certificates for the sub-authorities. > > > > They also bring it up once a month to patch and then create a full-backup > that goes over-the-wire to the DR site. > > > > From: [email protected] [mailto:[email protected]] > On Behalf Of Ryan Shugart > Sent: Tuesday, November 11, 2014 1:35 PM > To: [email protected] > Subject: [NTSysADM] making ADCS resilient > > > > Hi all: > > I just got handed our ADCS infrastructure, and was told that it > needs to be made resilient. From what I can tell (the old admin left the > company and didn’t provide much documentation) we have a two teer > infrastructure with one root CA and two issuing CAs all running Windows > Server 2012. From what I’m seeing now, I should be able to bring up another > issuing server relatively easily in our DR site and we should be good there, > but the root CA isn’t that easy to make resilient, and may not need to be > resilient anyway. So question, is this what people are doing to make ADCS > resilient across multiple sites or is there another approach to this? > > Thanks. > > Ryan > > > > Ryan Shugart > > LAN Administrator > > MiTek USA, MiTek Denver > > 314-851-7414 > > > > > MiTek Holdings, Inc., 2011-2014, All Rights Reserved > > ________________________________ > > This communication (including any attachments) contains information which is > confidential and may also be privileged. It is for the exclusive use of the > intended recipient(s). If you are not the intended recipient(s), please note > that any distribution, copying, or use of this communication or the > information in it is strictly prohibited. If you have received this > communication in error, please notify the sender immediately and then > destroy any copies of it.
