When you say "resiliency", do you mean "high availability"? If so, then generally, "no" - you don't need HA for your root CA in a two-tier architecture.. If you publish the CRL for the root CA (e.g. in case you revoke an issuing CA's signing cert), then this CRL should be placed somewhere that has HA (e.g. AD or whatever).
If by "resiliency", you mean able to recover from disaster, then yes, you do need something - e.g. backup your CA, or at least it's signing cert (e.g. in a resilient HSM), so that if you have a disaster, you're able to recover the root CA. Cheers Ken From: [email protected] [mailto:[email protected]] On Behalf Of Ryan Shugart Sent: Wednesday, 12 November 2014 10:49 AM To: [email protected] Subject: [NTSysADM] RE: making ADCS resilient Thanks everyone. So if I'm understanding right, the root CA can be shut down with no issues, and I can just bring up new issuing servers in our DR site and they'll work along side the ones at our main site? Thanks. Ryan From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Michael B. Smith Sent: Tuesday, November 11, 2014 11:55 AM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: making ADCS resilient I advise my clients to only have the root server online when they are bringing up new DCs or renewing certificates for the sub-authorities. They also bring it up once a month to patch and then create a full-backup that goes over-the-wire to the DR site. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Ryan Shugart Sent: Tuesday, November 11, 2014 1:35 PM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] making ADCS resilient Hi all: I just got handed our ADCS infrastructure, and was told that it needs to be made resilient. From what I can tell (the old admin left the company and didn't provide much documentation) we have a two teer infrastructure with one root CA and two issuing CAs all running Windows Server 2012. From what I'm seeing now, I should be able to bring up another issuing server relatively easily in our DR site and we should be good there, but the root CA isn't that easy to make resilient, and may not need to be resilient anyway. So question, is this what people are doing to make ADCS resilient across multiple sites or is there another approach to this? Thanks. Ryan Ryan Shugart LAN Administrator MiTek USA, MiTek Denver 314-851-7414 MiTek Holdings, Inc., 2011-2014, All Rights Reserved ________________________________ This communication (including any attachments) contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please note that any distribution, copying, or use of this communication or the information in it is strictly prohibited. If you have received this communication in error, please notify the sender immediately and then destroy any copies of it.
