locked
Windows Server 2019 ADCS PKI Infrastructure questions RRS feed

  • Question

  • I have been asked to plan, design, and deploy a Microsoft Windows Server 2019 ADCS PKI deployed on Azure Windows VMs.  It will be a two-tier architecture with an offline standalone rootCA and six Enterprise issuing subCAs deployed in six Azure regions to include three paired regions with each region having a primary and secondary region i.e. US, EU, ad APAC paired regions.  AD DS domain controller global catalog servers and ADCS issuing subCAs will be deployed in each Azure region.  ASR will not be used for failover AD DS domain controllers and AD CS server in the primary regions to the secondary regions due to some risk when using ASR for failover of AD DS domain controllers and its dependent ADCS subCAs.

    The rootCA will be stood up then brought offline per best practices during the deployment of the subCAs and all other components.  Before the the rootCA is taken offline all recommended security measures per guidance will be followed for securing the rootCA.  All recommended security measures per guidance will taken with all other components comprising the global PKI.

    The PKI will need to support both AD DS joined computers with autoenrollment and for non AD DS aware devices.  The same certificate templates will be created and deployed on all subordinate CAs so that each subordinate issuing CA will have the same certificate templates.  The encryption algorithm will use ECC p384. The PKI will need to support both NDES (used for SCEP with Intune/Endpoint Manager) and NPS for integration with Azure MFA using the NPS extension.

    The CDP and AIA will use both CRL and OSCP and will be deployed on separate web servers.  This takes into account older systems that are not OCSP aware.  Those web servers will be geo load balanced using Citrix ADC LBs and a CNAME record will be configured for the LB VIP which clients will use to access the CDP and AIA. 

    What I am not clear about is how best to configure the Certificate Web Enrollment Service (CES) and the Certificate Web Enrollment Policy (CEP) so it is globally accessible and resilient to any outages for systems that are not AD DS aware and cannot use autoenrollment thus requiring manual enrollment.  Should the CES and CEP be deployed on separate web servers and load balanced?  If these services are deployed on separate web servers and load balanced would it randomly select an issuing subCA?  What impact would this have on BC/DR?  What if the issuing CA is no longer available?  Since each issuing subCA will contain the same certificate templates, would it even matter if the certificate needs to be renewed or revoked and renewed?  Please advise.

    • Changed type Dave PatrickMVP Wednesday, December 23, 2020 8:08 PM question
    • Moved by Dave PatrickMVP Wednesday, December 23, 2020 8:08 PM looking for forum
    Wednesday, December 23, 2020 7:50 PM

Answers

  • I'd try asking for help over here.

    Azure on Q&A | Microsoft Docs

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    • Proposed as answer by KHURRAM RAHIM Friday, December 25, 2020 5:14 PM
    • Marked as answer by Dave PatrickMVP Wednesday, December 30, 2020 9:39 PM
    Wednesday, December 23, 2020 8:08 PM