No announcement yet.

Issue with installing SubOrdinate CA on a Failover Cluster - Second Node

  • Filter
  • Time
  • Show
Clear All
new posts

  • Issue with installing SubOrdinate CA on a Failover Cluster - Second Node

    I have a 2-tier PKI hierarchy: RootCA (2k8, Standalone, Root) protected by a Luna PCI HSM which signs the CSR of a Sub-Ordinate CA (2k8 R2, domain member, Enterprise, Subordinate) created on 2 machines that should act in failover cluster.
    I successfully installed the rootCA and subordinateCA on the 1st machine on the first cluster node. My guide was “Failover Clustering and Active Directory Certificate Services in Windows Server 2008 and Windows Server 2008 R2” (By Carsten B. Kinder & Mark B. Cooper).
    My issue is with installation on the second cluster node. I perform the following operations:
    1. First Cluster Node: Backup “Private Key and CA Certificate” on the 1st cluster node
    2. First Cluster Node: During backup, a normal error message appears related to the fact that private key couldn’t be backed-up (normal behavior as the private key never leaves the HSMs - HSMs are Luna SA in HA cluster and CSP, installed on both subordinate nodes, points to the HA slot of Luna SA).
    3. First Cluster Node: I shut it down the first node (in order to make sure that all resources are free for the second cluster node – shared storage, ca db from shared storage, network connections to HSMs).
    4. Second Cluster Node: the mmc is opened > adding “Certificates” snap-in > snap in manages certificates for “Computer Account”, Local Computer. On the Certificates snap-in, in “Personal” I start the import process of the p12 file generated during first cluster node backup.
    5. Second Cluster Node: the certutil –repairstore –csp “Luna CPS for Microsoft Windows” My “certificate_serial_number” command is executed.
    6. Second Cluster Node: the ADCS installation (Enterprise, Subordinate) is started and at “set up Private key” window I choose “use existing private key” > “select a certificate and use its associated private key”.
    7. Second Cluster Node: in all documentation I found, at this moment, in the “select existing certificate” window, the “certificates” box should display the certificate from the first cluster node.
    8. ISSUE: this certificate does not appear and the “certificates” box is emply.
    9. ISSUE: when I try to manually import the p12 file, I got an error related to the fact that the file does not contain the expected CA Type.

    10. My debug revealed that the p12 backup file from first cluster node contains 2 certificates: rootCA and SubordinateCA (certutil –dump x.pfx).
    11. The certocm log file on the Second Cluster Node says that the certificate [(in p12 file) found when executing “Import” action for “select existing certificate” box] is a self-signed. CONCLUSION: the import action parses the p12 file and uses the rootCA cert in the Import action, instead of Subordinate Certificate.
    Possible resolutions I thought are (and I hope you can help me with any of these):
    1. On the 1st cluster node, create a backup file that contains only the SubordinateCA certificate. Is there any possibility to define which certificates and keys to be backed up in the p12 file generated?
    2. How can I edit/split the p12 file (backup file) so that I will have only the SubordinateCA Certificate in the Backup p12 file?
    3. What actions may be performed in order to have the Subordinate CA certificate automatically displayed on the “select existing certificate” > “certificates” box?