Forum Discussion

thanhtien19's avatar
thanhtien19
Iron Contributor
Oct 21, 2021

two CA in one domain

Hi , We have root domain (corp.com) and child domain (abc.corp.com) ,we can build two server and add role certificate authority and configure to subca , server 01 subca name CA SUB 01 , server 02 sub CA 02. in the same domain can we build two CA ? it have effect domain as template will the same or different ? 

Active Directory

3 Replies

  • LainRobertson's avatar
    LainRobertson
    Silver Contributor
    Oct 31, 2021
    Yes, you can build two (or more) certificate authorities within a domain. It's not commonly done and it's not something I'd advise under normal circumstances, but you can do it.

    The certificate templates are stored in the Active Directory CN=Configuration partition, meaning that single location is used by all authorities (and their subordinates). This means that any changes to these Active Directory-stored templates is visible to all authorities.

    Installing a second (or more) certificate authority will not affect the templates. The templates are only installed by default when using the "Enterprise CA" option (as distinct from the "Standalone" option) and if they already exist, are left alone.

    Cheers,
    Lain
    • tw h's avatar
      tw h
      Copper Contributor
      Jun 13, 2024

      LainRobertson What are the restrictions of the two CA's ?

      Can I have two different CA's with different encryptions (eg one with RSA 4k, and one with ED29919) ?

      If so, how does a client know which CA it has to contact in order to get/renew a certificate ?

      If it is not possible, what is the best way to replace a RSA CA with an Elliptic Curve CA (EC certificates can only be signed by an EC CA certificate) ? Renew of the CA has no option to change the encryption.

       

      • LainRobertson's avatar
        LainRobertson
        Silver Contributor
        Jun 13, 2024

        tw h 

         

        This is an old thread and your question is not the same as the original poster's, so I'll keep this short and in the original context of Active Directory Certificate Services (AD CS):

         

        • AD CS does not support ED25519 (I'm assuming this is what you meant when you said "ED29919"), meaning there's nothing to discuss in relation to it;
        • AD CS supports AES and ECDSA;
        • You do not need two separate authorities in order to issue AES and ECDSA certificates - a single authority can issue both;
        • Being able to issue both RSA and ECDSA has nothing to do with the signature on the root certificate;
        • AD CS uses "templates" to issue certificates, and within the properties of each template are the settings that specify which provider and algorithm are issued when a client requests the issuance of a certificate based on that template (see example below);
        • Only Windows domain-joined clients can make use of Active Directory group policy-based auto-enrolment (which optionally can handle renewal automation). Any other client has to have their certificate(s) manually renewed, in which case there is no concept of "knowing which authority to contact".

         

        Some additional, general AD CS reading:

         

         

        And a non-AD CS article for anyone wondering what ED25519 is:

         

         

        If AD CS does not meet your needs then I'm afraid I cannot provide any advice, as I only work with AD CS (and SCCM, but that's out of scope for this discussion) for enterprise certificate management automation.

         

        Cheers,

        Lain

Resources