AD CS: CRL distribution point locations should include the CRL name suffix

Applies To: Windows Server 2008 R2, Windows Server 2012

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Active Directory Certificate Services Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.

Issue

The location of the certificate revocation list (CRL) specified in the CRL distribution point extension is not configured to include the CRL name suffix.

The CRL is required by applications to validate certificates presented to them by computers and users. A digital certificate that supports the X.509 version 3 format can include a CRL distribution point extension to specify the Uniform Resource Identifier (URI) of the CRL. The URI is used during certificate validation to retrieve the CRL and store a local copy for future use.

The CRL name suffix is one of several substitution variables used by a CA to represent components of URIs, such as host and file names. The variables are translated by the CA during certificate issuance to ensure that the URIs added to certificate extensions reflect correct locations of the CRL. The CRL name suffix represents the CRL index value that is incremented each time the CRL is published.

Because the new and expired certificates are published to the same location, the value of the certificate index is appended to a certificate's file name to create a unique URI. When the certificate name suffix variable is used, the URIs added to certificate extensions immediately reflect the location of the new CA certificate.

Impact

Clients may not be able to locate the correct version of the CRL to check the revocation status of a certificate, and certificate validation may fail.

If substitution variables are not used, the extension settings must be manually updated when a CRL is published. Manual configuration increases administration costs and presents a potential for error and delay between CRL publishing and CA configuration. Certificates issued with inaccurate CRL locations might cause application failure if the application requires revocation status to validate certificates.

Resolution

Use the Certification Authority snap-in to configure the CRL distribution point extension to include the CRL name suffix in each location.

The default locations of the CRL are added to the CRL distribution point extension settings during CA installation, and the CA is configured to include the default locations in the extensions of all issued certificates. If the default locations are not present or are not valid, use the following procedure to add valid locations and configure them to be included in issued certificates.

To configure CRL distribution point extension settings

1. On the CA, open the Certification Authority snap-in.

2. In the console tree, right-click the CA, and then click Properties.

3. Click the Extensions tab.

4. In Select extension, click CRL Distribution Point.

5. If the Specify locations list does not include a valid location for the CRL, click Add to open the Add Location dialog box.

6. Click OK to save the location. Repeat to add multiple locations.

7. In the Specify locations list, click a location, and then select the Include in the CRL distribution point extension of issued certificates check box.

8. Click OK to save changes. Active Directory Certificate Services must be restarted for the changes to take effect.

Additional references

• For more details about configuring extensions, see Specify CRL Distribution Points.

• Premier Support customers can use an intensive PKI Health Check to review this issue in addition to a thorough evaluation of other issues. For more information, see Public Key Infrastructure Server Health Check Datasheet.