We are in the planning stages of deploying a CA using dogtags. Here is what we know we need and what resources we have to work with. Any suggestions are welcome! A primary CA - only used to create the subordinate CAs. A subordinate CA - this would actually create the certs. We have 2 servers with shared fiber channel storage. Each currently has LDAP (389 project) installed and are replicating between themselves. The LDAP servers run on their own IPs. Also, these 2 servers are a corosync cluster with 4 resource groups: puppet, mysql, apache, snmptrapd and syslog-ng. Each of these have their own IP as well. None of these services are load-balanced. They are either on one or the other servers- all the files these services need are supported with fibre channel storage. Now the CA. Here is what I have considered: 1) CA1 runs on server1- it uses the local LDAP server for storage 2) CA2 runs on server2- it uses the local LDAP server for storage 3) A clone of CA1 runs on server2 using server2's LDAP storage 4) A clone of CA2 runs on server1 using server1's LDAP storage Ideally, we would run the service like we do apache. It would run on either host, but only one a time. It would have its files on shared storage to support this. The problem with this setup is the LDAP storage is the single point of failure as I cannot refer to 2 LDAP servers at the same time, afaik. For HA, it seems that the best I could do would be to have both LDAP servers and all 4 PKI instances installed on shared storage. Any thoughts on this are greatly appreciated. Thanks, Dave