Configure CDP and AIA Extensions

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

After a root or subordinate CA is installed, you must configure the Authority Information Access (AIA) and CRL distribution point (CDP) extensions before the CA issues any certificates. The AIA extension specifies where to find up-to-date certificates for the CA. The CDP extension specifies where to find up-to-date CRLs that are signed by the CA. These extensions apply to all certificates that are issued by that CA.

Configuring these extensions ensures that this information is included in each certificate that the CA issues so that it is available to all clients. This ensures that PKI clients experience the least possible number of failures due to unverified certificate chains or certificate revocations that can result in unsuccessful VPN connections, failed smart card logons, or unverified e-mail signatures.

Follow these guidelines when configuring CDP extension URLs:

  • Avoid publishing delta CRLs on offline root CAs. Because you do not revoke many certificates on an offline root CA, a delta CRL is probably not needed.

  • Adjust the default LDAP:/// and https:// URL locations on the Extensions tabof the certification authority Properties page according to your needs. Do not remove the local CDP location, however. The CA requires the local CDP location in order to publish the CRL to itself. The CA uses the local CRL to validate all certificates before they are issued to users. The local path does not show in the CDP extension of issued certificates.

  • Enable the publication of delta CRLs, regardless of whether delta CRLs are going to be published, to allow for the potential use of delta CRLs in the future. Enable delta CRL publication by selecting the Publish Delta CRLs to this location check box.

  • Publish both the LDAP and HTTP URLs for CDP locations to enable clients to retrieve CRL data with HTTP and LDAP. If required, publish a CRL on an HTTP Internet or extranet location so that users and applications outside the organization can perform certificate validation.

  • Consider using Active Directory–based publication. An LDAP certificate revocation list URL distributed by means of Active Directory is replicated in a fault-tolerant, distributed, highly available manner. However, replication of CRL data among Active Directory domain controllers introduces some latency.

  • For certificates that are to be validated by clients that use Active Directory, place the LDAP CDP location first in the list to optimize client revocation checking. Windows clients always retrieve the list of URLs in sequential order until a valid CRL is retrieved.

  • Provide an additional HTTP CDP location or an alternative LDAP path to CRLs for clients that cannot use Active Directory or LDAP.

Follow these guidelines when publishing HTTP-based CRLs:

  • If you are providing an HTTP CDP location, use round robin DNS or Web server virtual names to provide redundancy in the HTTP URL.

  • Use HTTP CDP locations to provide accessible CRL locations for non-Windows brand operating system clients.

  • Place HTTP CDP URLs second in the list of the URLs in the CDP extension if the CRL is distributed with Active Directory as well.