To deploy the OCSP service in an Active-Active architecture:
- Follow the steps described in Starting up PKI Hub to install and configure a Cryptographic Security Platform cluster in each data center.
- If an Entrust Certificate Authority provides the certificate status, follow the steps described in Managing CA Gateway to configure CA Gateway in both data centers,
- Synchronize the CA Gateway configuration between data centers as previously explained in Configuration synchronization. Note that the URLs may differ between data centers depending on the network topology.
- Deploy the CA Gateway solution in both data centers.
- In both data centers, configure Validation Authority solutions as described in Managing Validation Authority.
- Configure the Hardware Security Module (HSM) in each data center. Typically, each data center has its own HSM cluster. If the latency between data centers is low, a single HSM cluster can be deployed across all data centers, and each PKI Hub cluster can be configured to use all the HSMs.
- Generate OCSP signing keys for each Validation Authority deployment. Each deployment uses its own OCSP signing keys, but the issuing CA can be the same.
- Synchronize the Validation Authority configuration between data centers as previously explained in Configuring synchronization. Configure each Validation Authority deployment to retrieve certificate revocation status from the same Entrust Certificate Authority or CRL server. Note that the URLs may differ between data centers depending on the network topology.
- Deploy Validation Authority solution in both data centers.
- Configure the load balancer or DNS to distribute OCSP traffic across all active data centers.