Hi
Example scenario - we have an Enterprise PKI, Windows 2008 R2, with a Root CA (offline) and multiple Subordinate CA's that issue the certs. The certificates in this example are authentication certs and we choose not to publish to AD.
We then lose one of the Subordinate CA's. What effect does this have on clients trying to connect in? New certs can be issued from another Subordinate CA, however does the CRL/OCSP responder HAVE to be on the CA itself?
And even if they aren't, does the fact that the CA's database is unavailable mean anything?