High available PKI related questions with regards to CA/OCSP and NDES

I have some specific questions with regards a high available PKI based on ADCS.

The questions are as follows. Please see the detailed info below to get more info on the casus.

--------------------------- questions ------------------------

In an environment with multiple issuing CA's. How does the client choose which CA to contact for a new certificate? What is the difference between hosting 2 VM's with the Online responder role and revocation configurations pointing to both CA's as apposed to hosting 2 Online responders that are setup in an array and point to both CA's revocation configurations? What would be the best setup for a high-available NDES setup with 2 CA's. (NDES to leverage Intune SCEP connectors to provide certificates to aad-only clients). Sub question: Can a NDES server with a certificate connector point to two CA's simultaneously? or what would happen if CA1 died, but NDES1 was still up. ---------------------------- backstory -----------------------------

Here I will explain the environment that we are going to built. I need to cater a PKI setup for this environment that meets the requirements. We are building 2 new datacenters in Azure. One in Region A and the other one in Region B. The reason we have 2 Datacenters is purely from a High availability standpoint. All the clients exist in the same region. They will primarily be leveraging region A for its services. However the services in region B are always running. When a service in region A dies, clients should fall back to region 2. The datacenters have servers that are domain joined. The clients will be aad-only joined laptops managed through Intune.

So I am asked to create a PKI for this. This means a CA per region, CRL hosting per region, an online responder per region and a NDES server per region.

I have everything Azure has to offer at my disposal. We also plan on using traffic manager to direct traffic going to the datacenters from the WAN side. So through this we would get the traffic in either datacenter A or B. Furthermore we leverage network virtual appliances for loadbalancing internal datacenter traffic.

-------------------------- research ------------------------

I did some google searches and found some information with regards to high available PKI's but not everything I wished. I did find plenty of example to do high available CRL's, so I do not need info on this. The only reference with regards to HA CA's was with windows failover cluster but that is not an option as my CA's span 2 datacenters. I did find it was no problem to have multiple CA's but how clients actually choose one was not described.

In an environment with multiple issuing CA's. How does the client choose which CA to contact for a new certificate?

I've not found any documentation for this, but a while ago I did notice that given two CAs with the same template enabled, that clients enrolled from the last CA to have the template enabled. Presumably, if that CA wasn't available, the client would try the next.

What is the difference between hosting 2 VM's with the Online responder role and revocation configurations pointing to both CA's as apposed to hosting 2 Online responders that are setup in an array and point to both CA's revocation configurations?

All members of the array share common settings, therefore are easier to manage. From a client point of view, it makes no difference whether you have an array, or a collection of separate responders.

What would be the best setup for a high-available NDES setup with 2 CAs?

An NDES server can only access one CA. You can have multiple NDES server instances using one CA, but as the CA is then the SPOF, you have to wonder if there's any benefit. One NDES per CA is probably your best bet. The NDES server simply acts like a protocol converter: SCEP <-> WCCE.

Your Intune SCEP connector is installed on the NDES server. As the NDES server only accesses one CA, then the connector can only access that same CA.

I believe you can setup multiple connector instances in Intune. Each instance should be configured with similar settings as you won't be able to define which connector will be used by Intune.