CA PKI Cluster failover RRS feed

  • Question

  • Hi,

    Firstly there never seems to be relevant option in forum category hence the current selection.

    After reviewing several guides for setting up a PKI failover 2 tier solution they all seem to suggest using an iscsi target server to allow clustered volumes to host the cert db,logs and in some instances AIA/CDP locations/files.

    Am i right in saying that if the target/host of that storage went down then the pki infrastructure would fail because the shared volume would no longer be available on the two issuing servers in the pki heirachy?

    it therefore seems kind of useless? - you would then need some kind of redundancy for the shared volume on the target server right?

    To me it seems like you'd want a seperate vhdx or something on which can be mounted to and written by both server but then theres a whole load of other questions about the technicalities behind that.

    Can anyone answer my first question and possibly provide advice on achieving a truly redundant PKI heirachy?

    root ca | two issuing CA (clustered with redundant storage somehow) | load balanced IIS web servers for AIA/CDP


    Tuesday, November 24, 2020 2:39 AM