Step by Step Guide – Clustering an Existing Certification Authority
Clustering the certification authority
This document details the required steps to cluster an existing certification authority running on Windows Server 2008 R2 Enterprise Edition to provide fault tolerance and high availability for the service. This document was tested in a lab environment and should be tested in a lab environment. For more information on
The document assumes certain prerequisites and highlights risks associated with clustering a certification authority. The sections are divided into task required to achieve this goal. Some tasks such as configuring the Hardware Security Module (HSM) are added with minor detail to this document because they are carried out by the organization’s IT Security team.
Lab environment
The following list describes the configuration of the lab environment:
Active Directory Domain: Contoso.com
Certification authority: Active Directory Certificate Services (AD CS) Certification Authority role service is installed and configured on a member server Node1.contoso.com
Certification authority name: The certification authority’s sanitized name isContoso Issuing CA
Additional Servers: Node2.contoso.com is the new AD CS certification authority server joined to domain, with the exact build, patch and driver levels as Node1.contoso.com. The server will be configured as the second node in a certification authority cluster
Distribution Points: The certificate revocation list (CRL) distribution point (CDP) and and authority information access (AIA) locations are configured point to a member server. CDP/AIA locations are not configured to point to the CA
Prerequisites specific to Contoso
Contoso will configure enterprise issuing certification authorities and then configure them in a certification authority cluster when the additional nodes are provisioned. The following prerequisites should be in place before attempting certification authority clustering
- Certification authority role is already installed, fully configured and functional on Node1 including distribution points, and registry configuration.
- A hardware security module (HSM) is already configured and connected to Node1
- CA role service is not installed on Node2
- Shared storage is available to Node1 and Node2
- The failover cluster feature is not configured on any of the nodes
- There is a full back-up of the certification authority server, including the certificate database, logs, registry and enabled templates.
- Certification authority clustering is only supported using the Microsoft Failover Clustering feature native to the operating system
- LUN, heartbeat configuration and other specific clustering features should be configured by Contoso’s infrastructure team
- Enterprise Administrators and Certification Authority Administrators
Understanding naming conventions in certification authority clustering
Before you begin, you should plan the names to use during the installation procedure. It is important to properly define these names because they are used throughout the configuration.
The following named items are used in the subsequent sections and step-by-step procedures.
Cluster node: This represents the computer’s host name participating in the cluster. In this document, the cluster nodes refer to Node1.contoso.com and Node2.contoso.com. Both nodes are permitted access to the Authority Information Access (AIA) – CAName, Enrollment Services - CAName, and KRA - CAName objects in Active Directory using Access Control Lists (ACLs). As an example, both nodes Node1 and Node2 are permitted to update the Contoso Issuing CA object in the AIA, Enrollment Services, and KRA containers in Active Directory by giving them full control access.
Cluster: The failover cluster has a unique name that is registered in Active Directory Domain Services (AD DS) and Domain Name Services (DNS). This name refers to the cluster name in the failover cluster management snap-in and not the clustered certification authority. There is no dependency between the cluster configuration and the clustered certification authority. In this document, the cluster name is cluster. Contoso can choose any name to refer to the cluster name. The cluster name is registered in Active Directory and DNS automatically when it is created by an enterprise administrator
Service: The service name represents the Domain Name System (DNS) of the clustered CA service, and should be determined before configuring the cluster. This name is independent of the cluster name mentioned earlier. In this document, the service name is ADCS.contoso.com
Action Items
Move the certification authority database to shared disk
- Log on to the certification authority with Enterprise Admin or CA Admin rights
- Click Start, and then click Server Manager
- Expand the sever name and then click Services
- Click Active Directory Certificate Services and then click Stop
- Copy the CertLog directory which contains the certificate database files and log files to new shared disk location i.e. R:\ The default database path is %SystemRoot%\System32\CertLog
- Click Start, and click Run...
- Type Regedit, and then click OK
- Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\
- Change the following registry keys:
Registry Key |
Old Value |
New Value |
DBDirectory |
C:\Windows\System32\Certlog |
R:\Certlog |
DBLogDirectory |
C:\Windows\System32\Certlog |
R:\CertLog |
DBSystemDirectory |
C:\Windows\System32\Certlog |
R:\CertLog |
DBTempDirectory |
C:\Windows\System32\Certlog |
R:\CertLog |
Verify the certification authority’s new database and log location
- Click Start, and then click Server Manager
- Expand the sever name and then click Services
- Click Active Directory Certificate Services and then click Start
- Click Start, and then Click Administrative Tools
- Click Certification Authority
- Right click the certification authority’s name and then click Properties
- Click the Storage tab
- Verify the Certificate database and Request Log entries are pointing to the new shared storage location
Install Active Directory Certificate Services on the second CA cluster node
This section explains how to set up the second cluster node. The configuration of the second node is slightly different from the first node. Some configuration settings are already defined on the first node so they only need to be applied on the second node.
The configuration of the second node includes the following tasks:
- Determine the certification Authority’s Cluster Service Name
- Stop Active Directory Certificate Services on Node1
- Confirm that the shared disk is available to Node2.
- Confirm that the network HSM is available to Node2.
- Import the CA certificate into the local computer certificate store.
- Associate the CA certificate with the key material stored in an HSM.
- Install AD CS on the second node.
The following procedure describes these tasks in greater detail.
Verify and Document the Active Directory Certificate Services (AD CS) DNS Name
Determine the fully qualified domain name (FQDN) to use for the Certification Authority cluster service name. In this document is it ADCS.contoso.com.
Stop Active Directory Certificate Services on Node1
- Log on to Node1 with the using an Enterprise Admin or CA Admin rights
- Click Start, and then click Server Manager
- Expand the sever name and then click Services
- Click Active Directory Certificate Services and then click Stop
- Click Storage in Server Manager
- Click Disk Management
- Right click the shared storage drive where the certification authority’s database and logs reside and then click Offline
Confirm that the shared disk is available to Node2.
- Log on to Node2 with the using an Enterprise Admin or CA Admin rights
- Click Start, and then click Server Manager
- Expand the sever name and then click Storage
- Click Disk Management
- Right click the shared storage drive where the certification authority’s database and logs reside and then click Online
Confirm that the network HSM is available to Node2.
- Log on to Node2 with the using an Enterprise Admin or CA Admin rights
- Install the HSM Cryptographic Service Provider CSP
- Review the HSM’s documentation to associate the Private Key with this node. You might need to run Certutil -repairstore My <CACertificateSerialNumber>
Import the CA certificate into the local computer certificate store.
This step should be reviewed by the Contoso team to follow the procedures required by the HSM vendor to retrieve the key and its associated certificate
Associate the CA certificate with the key material stored in an HSM
This step should be reviewed by the Contoso team to follow any procedure required by the HSM vendor to associate the CA’s certificate with the key material and the new node Node2
Install the certification authority role on Node2
- Log on to Node2 with the using an Enterprise Admin or CA Admin rights
- Click Start, and then click Server Manager
- Select the Roles node, and on the Action menu, click Add Roles.
- On the Select Server Roles page, select Active Directory Certificate Services, and click Next twice.
- On the Select Role Services page, select Certification Authority, and click Next. The CA role service is the only AD CS role service that can be configured to use clustering.
- On the Specify Setup Type, select Enterprise, and click Next.
- On the Specify CA Type Select Subordinate, and then click Next.
- Select Use existing private key, select a certificate and use its associated private key, then click Next.
- Select the CA certificate that was generated on the first node, and then click Next.
- Choose the default paths for the database and log directories. In the dialog box stating that an existing database was found, select No to overwrite it. Click Next to continue.
WARNING: if you change the path to the shared disk, then you will overwrite the contents of the database and logs. This in turn will create an empty database. You will change the path in the registry to point to the original database
- Click Install. To finish the role installation, click Close. Log off from the second cluster node.
- Click Start, and then click Server Manager
- Expand the sever name and then click Services
- Click Active Directory Certificate Services and then click Stop
- Copy the CertLog directory which contains the certificate database files and log files to new shared disk location i.e. R:\ The default database path is %SystemRoot%\System32\CertLog
- Click Start, and click Run
- Type Regedit, and then click OK
- Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\
- Change the following registry keys:
Registry Key |
Old Value |
New Value |
DBDirectory |
C:\Windows\System32\Certlog |
R:\Certlog |
DBLogDirectory |
C:\Windows\System32\Certlog |
R:\CertLog |
DBSystemDirectory |
C:\Windows\System32\Certlog |
R:\CertLog |
DBTempDirectory |
C:\Windows\System32\Certlog |
R:\CertLog |
- Click Start, and then click Server Manager
- Expand the sever name and then click Services
- Click Active Directory Certificate Services and then click Start
- Verify the certificate database has all issued certificates by Node1
- Click Services in Server Manager
- Click Active Directory Certificate Services and then click Stop
- Click Storage in Server Manager
- Click Disk Management
- Right click the shared storage drive where the certification authority’s database and logs reside and then click Offline
Setup failover clustering
- Setup failover clustering on Node1 and Node2
- Configure AD CS as a cluster resource
- Create a dependency between the certification authority and the Network HSM service
Setup failover clustering on Node1 and Node2
- Log on to the cluster node Node1 as a member of the local Administrators or Enterprise Administrators group.
- Open Server Manager. In the console tree, click Features, and on the Action menu, click Add Features.
- In the list of available features, select Failover Clustering, and click Next. Click Install, and then click Close.
- Log on to the second cluster node Node2
- Open Server Manager. In the console tree, click Features, and on the Action menu, click Add Features.
- In the list of available features, select Failover Clustering, and click Next. Click Install, and then click Close.
- On Node1 Click Start, point to Run, type Cluadmin.msc, and then click OK.
- If the Before you begin page appears, click Next. Otherwise, click Create Cluster and enter the cluster node name (computer name) of the first cluster node Node1 in the Select Servers page, and click Add.
- Enter the name of the second cluster node Node2 in the Select Servers page , click Add, and then click Next to continue.
- To test the cluster, click Yes. When I click Next, run configuration validation tests, and then return to the process of creating the cluster and click Next twice.
- Keep the default option to Run all tests, and click Next twice. Verify the cluster test report, and click Finish.
|Note: Make sure all cluster verification tests complete with The Test Passed results before you proceed
- Provide the cluster name. This name is not relevant for the later CA configuration. View the cluster setup information page, and click Finish.
Configure AD CS as a cluster resource
- Log on to the cluster node Node1 as a member of the local Administrators or Enterprise Admins group.
- Click Start, click Run, type Cluadmin.msc, and then click OK
- In the console tree of the Failover Cluster Management snap-in, click Services and Applications.
- On the Action menu, click Configure a service or Application. If the Before you begin page appears, click Next.
- In the list of services and applications, select Generic Service, and click Next.
- In the list of services, select Active Directory Certificate Services, and click Next.
- Choose the service name, and click Next. For more information about the service name, see Verify and Document the Active Directory Certificate Services (AD CS) DNS Name
- Select the disk storage that is still mounted to the node, and click Next.
- To configure a shared registry hive, click Add, type SYSTEM\CurrentControlSet\Services\CertSvc, and then click OK. Click Next twice.
- Click View Report to review any issues with setting the clustered service
- Click Finish to complete the failover configuration for AD CS.
Create a dependency between the certification authority and the Network HSM service
- Open the Failover Cluster Management snap-in. In the console tree, click Services and Applications. In the details pane, select the previously created name of the clustered service. On the Action menu, click Add a resource, and then click Generic Service.
- The new resource wizard appears. In the list of available services, select the name of the service that was installed to connect to your network HSM. Click Next twice, and then click Finish.
- Under Services and Applications in the console tree, click the name of the clustered services.
- In the details pane, select the newly created Generic Service. On the Action menu, click Properties.
- On the General tab, rename the service name if desired, and click OK. Confirm that the service is online.
- In the details pane, select the service previously named Certification Authority. On the Action menu, click Properties.
- On the Dependencies tab, click Insert, select the network HSM service from the list, and then click OK.
Post configuration tasks in Active Directory Domain Services (ADDS)
You need to complete three procedures to configure the CA in AD DS:
- Enable both cluster nodes to update the CA certificate when required.
- Give both nodes permissions on the Enrollment container.
- Give both nodes permissions on the KRA container.
- Adjust the certification authority’s DNS Name in Active Directory Domain Services (ADDS)
- Adjust the certification authority’s DNS name in any application requesting certificates from the original node
Enable both cluster nodes to update the CA certificate when required.
- Log on to a domain controller as a member of the Enterprise Admins group, and open the Active Directory Sites and Services snap-in.
- In the console tree, select the top node. On the View menu, click Show services node.
- In the console tree, double-click Services, double-click Public Key Services, and then click AIA.
- In the details pane, select the CA name as it appears in the Certification Authority snap-in.
- On the Action menu, click Properties. Click the Security tab, and then click Add.
- Click Object Types, select Computers, and then click OK.
- Type the computer name of the second cluster node Node2 as the object name, and click OK.
- Confirm that the computer accounts of both cluster nodes have Full Control permissions, and then click OK
Give both nodes permissions on the Enrollment container
- Log on to a domain controller as a member of the Enterprise Admins group, and open the Active Directory Sites and Services snap-in.
- In the console tree, select the top node. On the View menu, click Show services node.
- In the console tree, double-click Services, double-click Public Key Services, and then click AIA.
- In the console tree, click Enrollment Services. In the details pane, select the CA name.
- On the Action menu, click Properties. Click the Security tab, and then click Add.
- Click Object Types, select Computers, and click OK.
- Type the computer name of the second cluster node as the object name, and click OK.
- Confirm that the computer accounts of both cluster nodes have Full Control permissions, and then click OK.
Give both nodes permissions on the KRA container
- Log on to a domain controller as a member of the Enterprise Admins group, and open the Active Directory Sites and Services snap-in.
- In the console tree, select the top node. On the View menu, click Show services node.
- In the console tree, double-click Services, double-click Public Key Services, and then click KRA.
- In the details pane, select the CA name.
- On the Action menu, click Properties. Click the Security tab, and then click Add.
- Click Object Types, select Computers, and then click OK.
- Type the computer name of the second cluster node Node2 as object name, and click OK.
- Confirm that the computer accounts of both cluster nodes have Full Control permissions, and then click OK.
Adjust the certification authority’s DNS Name in Active Directory Domain Services (ADDS)
When the CA service was installed on the first cluster node, it created the Enrollment Services object and put its own fully qualified domain name (FQDN) into that object. Since the CA can operate on both cluster nodes, the DNS host name of the Enrollment Services object needs to be changed to the service name of the CA configured in Configure AD CS as a cluster resource
- Log on to a domain controller as a member of the Enterprise Admins group, and open the ADSI Edit snap-in.
- In the console tree, click ADSI Edit. On the Action menu, click Connect to.
- In the list of well-known naming contexts, select Configuration, and click OK.
- In the console tree, double-click Configuration, Services, and Public Key Services, and then click Enrollment Services.
- In the details pane, select the name of the cluster CA. On the Action menu, click Properties.
- Select the attribute dNSHostName, and click Edit.
- Enter the service name of the CA as shown in the Failover Cluster Manager under Failover Cluster Management, and click OK twice. Close ADSI Edit.
Adjust the certification authority’s DNS name in any application requesting certificates from the original node
Any system requesting certificates programmatically from the original certification authority node needs to update the dNSHostName property to request certificates from the clustered CA service name configured in Configure AD CS as a cluster resource
Copy CAPolicy.inf file from original node Node1 to passive node Node2
This step is required to ensure the certification autority’s renewal settings are the same regardless of which node initiated the request.
- Log on to Node1 using an Enterprise Administrator or CA administrator account
Copy %systemroot%\capolicy.inf to %systemroot%\ on Node2