2 Issuing CAs are Effected by Subnet Region

Woogi

10/26/23, 1:25 PM

We are working to set up a 2-tier pki with 2 issuing CAs in different regions/subnets. We were able to get everything looking right on pkiview.msc. We are still having trouble though with the second issuing CA, it doesn't seem to be communicating as online on the mmc snap in certificates. But in pkiview, it depends on which server I am testing. When I am on the south (1st issuing server), it shows the 2nd issuing CA as offline and everything on the 1st is good, and when I and on the north (2nd issuing server) it is the exact opposite. We ran tests and got the following results. I should mention we were asked to place the 2nd issuing CA in a different subnet and region. So we ran the following test with our Azure testing vms in windows 10. And the results reflect if we received a mmc certificate from the issuing CA or not. The only issuing CA that responded was the 1st one in the same region as the root CA. The y or n below is to show if they are turned on or off starting with root, then 1st and 2nd issuing CAs, the results are MMC snap in certificate results.

Name Subnet Root CA 1st Issuing CA South 2nd Issuing CA North Results

test-vm-01 South y y y Successful through 1st Issuing CA

test-vm-02 South y y n Successful through 1st Issuing CA

test-vm-03 South y n y Failed

test-vm-04 South n y y Successful through 1st Issuing CA

test-vm-05 South n n y Failed

test-vm-06 South n y n Successful through 1st Issuing CA

test-vm-07 North n y n Failed

test-vm-08 North n n y Failed

Steps we followed

1 Create VM

2 Turn Servers on or off

3 Join new vm to domain

4 Check for cert

It doesn't line up in here with the headings but same order as the results. The most surprising result to me is test 7 because the subnet and region of the testing vm is the only difference I found. Not sure why but it seems like the machines will only get a cert if on the same subnet as the issuing CA, any ideas? Any advice would be appreciated. Thanks

P.S. the installation process we used was similar to this one https://www.derekseaman.com/2021/03/windows-server-2019-two-tier-pki-ca-pt-1.html

0 + 2

windows

active-directory

pki

azure

certificate-authority

Crypt32

10/26/23, 5:31 PM

It appears that there is no connectivity between these two subnets.

Woogi

11/8/23, 7:52 PM

any suggestions @Crypt32?

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: 2 Issuing CAs are Effected by Subnet Region

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.