AD CS: Web server role should be installed if authority information access extension URIs refer to the local web server
Applies To: Windows Server 2008 R2, Windows Server 2012
This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Active Directory Certificate Services Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.
Operating System |
Windows Server® 2008 R2 and Windows Server® 2012 |
Product/Feature |
Active Directory Certificate Services |
Severity |
Warning |
Category |
Configuration |
Issue
The authority information access extension on this certification authority (CA) refers to the local Web server; however, the Web Server role is not installed.
The authority information access extension in issued certificates provides the network location of the issuing CA's certificate. The CA certificate is required by applications to validate certificates presented to them by computers and users. A digital certificate that supports the X.509 version 3 format can include an authority information access extension to specify the Uniform Resource Identifier (URI) of the issuing CA certificate. The URI is used by applications during certificate validation to retrieve the CA certificate.
Impact
Clients may not be able to locate the issuing CA's certificate, and certificate validation may fail.
The authority information access extension is defined during CA setup and includes a default URI that refers to the server that hosts the CA. If the Web Server role is not installed on the CA server, then the HTTP URI included in the extension is not valid.
Resolution
Use Server Manager to start or add the Web Server role service and add virtual directories to match the HTTP URI included in the authority information access extension. Otherwise, remove the HTTP URI from the extension by using the Certification Authority snap-in.
It is important that the locations included in the authority information access extension are valid and accessible by clients. Check the CA's extension configuration and ensure that all defined locations are valid, or remove the locations you do not intend to use for publishing the CA certificate.
The authority information access extension is not required in certificates. However, it is a best practice to publish the CA certificate to one or more network locations and include the URIs in the authority information access extensions of issued certificates. URIs using LDAP, HTTP, or UNC formats are supported, and a default location using each protocol is defined during CA setup. If you do not plan to publish the CA certificate to each of the defined locations, then you can safely remove the unused locations from the extension. However, it is recommended to publish the CA certificate to multiple network locations that use different network protocols.
To configure the authority information access extension
On the CA, open the Certification Authority snap-in.
Right-click the name of the CA, and click Properties to open the CA property sheet.
Click the Extensions tab.
In Select extension, select Authority Information Access to display the list of locations.
To add a URI, click Add to open the Add Location dialog box.
Type the URI in the Location box, and click OK.
Click a location, and note the state of the Include in the authority information access extension of issued certificates check box.
Important
Each location must be configured separately. First, select the location in the list. Then, select or clear the Include in the authority information access extension of issued certificates check box. The state of the check box applies only to the location that is selected.
During CA setup a default HTTP location is defined with the URI https://<ServerDNSName>/CertEnroll/<ServerDNSName>_<CaName><CertificateName>.crt. Using Server Manager to install the CA Web Enrollment role service also installs the Web Server role, creates the CertEnroll virtual directory, and publishes the CA certificate to the default URI. In many environments, installing the CA Web Enrollment role service on the CA is an appropriate configuration and it is the simplest resolution to implement.
Some organizations might choose not to install the Web Server role on the same server as the CA. Any valid URI can be added to the extension, and the CA certificate can be exported to a remote Web server. To review the procedures for creating virtual directories, see IIS 6.0 Web Site Setup and IIS 7.0: Create a Virtual Directory.
To export the CA certificate to a remote Web server
Export the certificate to a file.
Copy the file to the Web server location described by the URI in the authority information access extension.
Additional references
- Premier Support customers can use an intensive PKI Health Check to review this issue in addition to a thorough evaluation of other issues. For more information, see Public Key Infrastructure Server Health Check Datasheet.