Table of Contents
Advertisement
Chapter 6. Cloning Subsystems
Figure 6.1. Cloning Example
The load balancer in front of a Certificate System subsystem is what provides the actual failover
support in a high availability system. A load balancer can also provide the following advantages as
part of a Certificate System subsystem:
• DNS round-robin, a feature for managing network congestion that distributes load across several
different servers.
• Sticky SSL, which makes it possible for a user returning to the system to be routed the same host
used previously.
6.1.1. Cloning for CAs
Cloned instances have the exact same private keys as the master, so their certificates are identical.
For CAs, that means that the CA signing certificates are identical for the original master CA and its
cloned CAs. From the perspectives of clients, these look like a single CA.
Every CA, both cloned and master, can issue certificates and process revocation requests.
The main issue with managing cloned CAs is how to assign serial numbers to the certificates they
issue. Different CAs can have different levels of traffic, using serial numbers at different rates, and it is
imperative that no CA issue the certificates with the same serial number. These serial number ranges
are assigned and managed dynamically by using a shared, replicated entry that defines the ranges for
each CA and the next available range to reassign when one CA range runs low.
80
Advertisement
Table of Contents
