Q. We want to add more reliability to our Windows Public Key Infrastructure (PKI). One easy way to provide this is by installing extra Certification Authority (CA) servers. Can a Windows CA also be clustered?
A. Yes, starting with Windows Server 2008, a Windows CA can be clustered. CA clusters are supported in the Windows Server 2008 Enterprise and Datacenter editions. You can only use clustering for the AD Certificate Services (CS) service and not for other AD CS role services, such as the Online Responder service (this is the service providing OCSP support) or the Network Device Enrollment Service (This is the service providing SCEP support).
Windows CAs can only be configured to use a two-node active/passive cluster. This means that the CA service is only active on one cluster node at a time. If the active node becomes unavailable, the second node becomes active and the CA service will resume on the second node. Windows Server 2008 does not support active/active CA clusters.
CA clusters require shared storage to make the CA database and log files available to both nodes. When you use Hardware Security Module (HSM) to protect your CA keys, you'll also need a shared HSM. This can only be provided if you use a network-attached HSM.
