Skip navigation

Q. Can a Windows CA be clustered?

Q. We want to add more reliability to our Windows Public Key Infrastructure (PKI). One easy way to provide this is by installing extra Certification Authority (CA) servers. Can a Windows CA also be clustered?

A. Yes, starting with Windows Server 2008, a Windows CA can be clustered. CA clusters are supported in the Windows Server 2008 Enterprise and Datacenter editions. You can only use clustering for the AD Certificate Services (CS) service and not for other AD CS role services, such as the Online Responder service (this is the service providing OCSP support) or the Network Device Enrollment Service (This is the service providing SCEP support).

Windows CAs can only be configured to use a two-node active/passive cluster. This means that the CA service is only active on one cluster node at a time. If the active node becomes unavailable, the second node becomes active and the CA service will resume on the second node. Windows Server 2008 does not support active/active CA clusters.

CA clusters require shared storage to make the CA database and log files available to both nodes. When you use Hardware Security Module (HSM) to protect your CA keys, you'll also need a shared HSM. This can only be provided if you use a network-attached HSM.

More information on CA clustering is provided in Microsoft's Certification Authority Clustering Configuration and Troubleshooting Guide.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.