AD CS: Authority information access locations should be included in the extensions of issued certificates

Applies To: Windows Server 2008 R2, Windows Server 2012

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Active Directory Certificate Services Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.

Issue

This certification authority (CA) is not configured to include authority information access locations in the extensions of issued certificates. The authority information access extension provides the network location of the issuing CA's certificate.

Impact

Clients may not be able to locate the issuing CA's certificate to build a certificate chain, and certificate validation may fail.

Certificate validation is critical to a correctly functioning public key infrastructure (PKI). A certification path that leads to a trusted root certificate is a requirement for a valid certificate. To build a certification path, the issuing CA's certificate is retrieved by CryptoAPI, which reads the authority information access extension of issued certificates to identify the network location of the CA's certificate. If the extension does not include the location of the CA certificate, then certificate validation cannot be completed and applications that require the certificate might fail.

Resolution

Use the Certification Authority snap-in to configure the authority information access extension and specify the network location of the issuing CA's certificate.

The default locations of the CA certificate are added to the authority information access extension settings during CA installation, and the CA is configured to include the default locations in the extensions of all issued certificates. If the default locations are not present or are not valid, use the following procedure to add valid locations and configure them to be included in issued certificates.

To configure authority information access extension settings

1. Open the Certification Authority snap-in.

2. In the console tree, right-click the CA, and then click Properties.

3. Click the Extensions tab.

4. In Select extension, click Authority Information Access.

5. If the Specify locations list does not include a valid location for the CA certificate, click Add to open the Add Location dialog box, and type a valid location. Click OK. Repeat to add multiple locations.

6. In the Specify locations list, click a location, and then select the Include in the authority information access extension of issued certificates check box.

7. Click OK to save changes. Active Directory Certificate Services must be restarted for the change to take effect.

Additional references

• For more details about configuring extensions, see Specify CRL Distribution Points.

• Premier Support customers can use an intensive PKI Health Check to review this issue in addition to a thorough evaluation of other issues. For more information, see Public Key Infrastructure Server Health Check Datasheet.