Hello,
 Hi.
 I have a 2-tier PKI hierarchy: RootCA (2k8, Standalone, Root) protected by a
 Luna PCI HSM which signs the CSR of a Sub-Ordinate CA (2k8 R2, domain member,
 Enterprise, Subordinate) created on 2 machines that should act in  failover
 cluster.
 
 I successfully installed the rootCA and subordinateCA on the 1st machine on
the
 first  cluster node. My guide was “Failover Clustering and Active
 Directory Certificate Services in Windows Server 2008 and Windows Server 2008
 R2” (By Carsten B. Kinder & Mark B. Cooper).
 
 My issue is with installation on the second cluster node. I perform the
 following operations:
 1.	First Cluster Node: Backup “Private Key and CA Certificate” on
 the 1st cluster node
 2.	First Cluster Node: During backup, a normal error message appears related
to
 the fact that private key couldn’t be backed-up (normal behavior as the
 private key never leaves the HSMs - HSMs are Luna SA in HA cluster and CSP,
 installed on both subordinate nodes, points to the HA slot of Luna SA).
 3.	First Cluster Node: I shut it down the first node (in order to make sure
that
 all resources are free for the second cluster node – shared storage, ca
db
 from shared storage, network connections to HSMs).
 4.	Second Cluster Node: the mmc is opened > adding
“Certificates”
 snap-in > snap in manages certificates for “Computer Account”,
 Local Computer. On the Certificates snap-in, in “Personal” I start
 the import process of the p12 file generated during first cluster node backup.
 5.	Second Cluster Node: the   certutil –repairstore –csp
“Luna
 CPS for Microsoft Windows” My “certificate_serial_number”
 command is executed.
 6.	Second Cluster Node: the ADCS installation (Enterprise, Subordinate) is
 started and at “set up Private key” window I choose “use
 existing private key” > “select a certificate and use its
 associated private key”.
 7.	Second Cluster Node:  in all documentation I found, at this moment, in the
 “select existing certificate” window, the
“certificates”
 box should display the certificate from the first cluster node.
 8.	ISSUE: this certificate does not appear and the “certificates”
 box is emply.
 9.	ISSUE: when I try to manually import the p12 file, I got an error related
to
 the fact that the file does not contain the expected CA Type.
 
 
 
 10.	My debug revealed that the p12 backup file from first cluster node
contains
 2 certificates: rootCA and SubordinateCA (certutil –dump x.pfx).
 11.	The certocm log file on the Second Cluster Node says that the certificate
 [(in p12 file)  found when executing “Import” action for
 “select existing certificate” box] is a self-signed. CONCLUSION:
the
 import action parses the p12 file and uses the rootCA cert in the Import
action,
 instead of Subordinate Certificate.
 
 Possible resolutions I thought are (and I hope you can help me with any of
 these):
 1.	On the 1st cluster node, create a backup file that contains only the
 SubordinateCA certificate. Is there any possibility to define which
certificates
 and keys to be backed up in the p12 file generated?
 2.	How can I edit/split the p12 file (backup file) so that I will have only
the
 SubordinateCA Certificate in the Backup p12 file?
 3.	What actions may be performed in order to have the Subordinate CA
certificate
 automatically displayed on the “select existing certificate” >
 “certificates” box?