A certificate system provides a security framework to ensure that network resources are accessed by authorized users. The certificate system is capable of generating digital certificates (certificates) for different users to verify the identity of a presenter. The certificate system can include interoperating subsystems to perform various Public Key Infrastructure (PKI) operations, such as issuing, renewing, suspending, revoking, archiving and recovering keys, publishing Certificate Revocation Lists (CRLs), verifying certificate status, and managing the certificates that are needed to handle strong authentication and secure communications. The certificate system can include a Certificate Authority (CA) subsystem to issue and revoke certificates, a Data Recovery Manager (DRM) subsystem to recover lost keys, an Online Certificate Status Responder (OCSP) subsystem to verify whether a certificate is valid, a Registration Authority (RA) subsystem to accept certificate requests and verify whether a request should be approved, a Token Key Service (TKS) subsystem to format tokens and process certificates on a token, and a Token Processing System (TPS) to manage certificates on tokens.
A CA subsystem issues certificates which each having a unique serial number. An initial CA subsystem can be cloned to support large deployments to create a high availability certificate system that includes multiple CA subsystems. Each CA subsystem can receive certificate requests and issue certificates. To ensure that each certificate that is issued has a unique serial number, each CA subsystem must have a range of serial numbers that is unique from any other CA subsystem. The current state of the art, however, does not provide a way to efficiently manage the allocation of serial numbers to CA subsystems in a high availability certificate system that includes hundreds of cloned CA subsystems.