3. Network Issues

A PKI is only fully operational if all services of the PKI are fully operational. This include things like OCSP and SCEP but it includes the public gateway too. Many people think it is enough if OCSP and one CDP still works but this is wring. The first thing is that the most applications don't understand OCSP. The second problem is that the last running CDP perhaps only support LDAP but there are applications which only supports HTTP and even more problematic is single running HTTPS CDP. The core mistake in this assumption is the meaning of fully operational. A PKI is not fully operational if only the CDPs still work. If nobody can download a new certificate or a certificate of a user which he never contacts before the PKI service is interupted. The PKI is still secure but many people mix up secure and operational.

In a time of server consolidation and omnipresent networks it is important to understand that all public PKI services must be available after a single failure. This includes network and power outages. A second fibre only helps if it is not in same pipe like the other one. a digger don't differs between the fibres if it cuts a pipe - I know this situation really well :( If you have big distributed units then it is recommended that at minimum two of these units run the public interfaces. In this case you should have independent interconnects.