Specify CA certificate access points in issued certificates

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To specify CA certificate access points in issued certificates

  1. Log on to the system as a Certification Authority Administrator.

  2. Open Certification Authority.

  3. In the console tree, click the name of the certification authority (CA).

    Where?

    • Certification Authority (Computer)/CA name

  4. On the Action menu, click Properties.

  5. On the Extensions tab, click Select extension, and then click Authority Information Access (AIA).

  6. Specify the locations from which users can obtain the certificate for this CA.

    To Do this

    Add a URL that will be published as part of any certificate issued by a CA.

    Click Add, then type a URL where users can obtain the CA's certificate.

    Remove an authority information URL from the list on issued certificates.

    Click the URL and then click Remove.

    Indicate that that you do not want to use a URL as an authority information access point in certificates without removing it from the list.

    Clear the Include in the AIA extension of issued certificates check box.

    Indicate that a URL can now be used as an authority information access point.

    Select the Include in the AIA extension of issued certificates check box.

    Indicate that a URL can now be used for online certificate status protocol (OCSP).

    Select the Include in the online certificate status protocol (OCSP) extension check box.

    Indicate that that you do not want to use a URL for online certificate status protocol (OCSP) in certificates without removing it from the list.

    Clear the Include in the online certificate status protocol (OCSP) extension check box.

  7. Stop and restart the Certificate Services service.

Notes

  • To open Certification Authority, click Start, click Control Panel, double-click Administrative Tools, and then double-click Certification Authority.

  • Authority information access URLs can be either HTTP, FTP, LDAP, or FILE addresses. You can use the following variables when specifying the address of the authority information access point:

    Variable Value

    CAName

    The name of the certification authority.

    CAObjectClass

    The object class identifier for a certification authority, used when publishing to an LDAP URL

    CATruncatedName

    The "sanitized" name of the certification authority, truncated to 32 characters with a hash on the end

    CDPObjectClass

    The object class identifier for CRL distribution points, used when publishing to an LDAP URL

    CertificateName

    The renewal extension of the certification authority

    ConfigurationContainer

    The location of the Configuration container in Active Directory

    CRLNameSuffix

    Inserts a name suffix at the end of the file name when publishing a CRL to a file or URL location

    DeltaCRLAllowed

    When a delta CRL is published, this replaces the CRLNameSuffix with a separate suffix to distinguish the delta CRL

    ServerDNSName

    The DNS name of the certification authority server

    ServerShortName

    The NetBIOS name of the certification authority server

  • To stop and restart the Certificate Services service, see Related Topics.

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.

See Also

Concepts

Specify online certificate status protocol responder in issued certificates
Working with MMC console files
Start or stop the certification authority service
Configuring the policy and exit modules