I'm trying to update my Intermediate CA in a two node cluster.
I pause the failover node and update the cert with my offline root and ad it to the store. All this appears to work fine. I can see my new certificate.
I import the new cert to the failover. Update the registry to have that as a second key.
I can restart the services on the active node while the failover is paused. Everything works.
After I failover the new certificate is not there as if the DB knows nothing about it.
If I try to fail back I get an error about "illegal operation attempted on a registry key".
If I fail back and forth once more the key is gone.
I'm following this article: https://social.technet.microsoft.com/wiki/contents/articles/9256.active-directory-certificate-services-ad-cs-clustering.aspx
David Jenkins