AD CS: CRL distribution point locations should be included in the extensions of issued certificates

Updated: August 31, 2012

Applies To: Windows Server 2008 R2, Windows Server 2012

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Active Directory Certificate Services Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.


Operating System

Windows Server® 2008 R2 and Windows Server® 2012


Active Directory Certificate Services





This certification authority (CA) is not configured to include certificate revocation list (CRL) distribution point locations in the extensions of issued certificates. The CRL distribution point extension provides the network location of the CRL.

Clients may not be able to locate a CRL to check the revocation status of a certificate, and certificate validation may fail.

Certificate validation is critical to a correctly functioning public key infrastructure (PKI). Many applications require revocation status checking during certificate validation. The CRL is retrieved by the revocation provider, which reads the CRL distribution point extension of issued certificates to identify the network location of the CRL. If the extension does not include the location of the CRL, then certificate validation cannot be completed and might cause application failure.

Use the Certification Authority snap-in to configure the CRL distribution point extension and specify the network location of the CRL.

The default locations of the CRL are added to the CRL distribution point extension settings during CA installation, and the CA is configured to include the default locations in the extensions of all issued certificates. If the default locations are not present or are not valid, use the following procedure to add valid locations and configure them to be included in issued certificates.

  1. On the CA, open the Certification Authority snap-in.

  2. In the console tree, right-click the CA, and then click Properties.

  3. Click the Extensions tab.

  4. In Select extension, click CRL Distribution Point.

  5. If the Specify locations list does not include a valid location for the CRL, click Add to open the Add Location dialog box, and type a valid location. Click OK to save the location. Repeat to add multiple locations.

  6. In the Specify locations list, click a location, and then select the Include in the CRL distribution point extension of issued certificates check box.

  7. Click OK to save changes. Active Directory Certificate Services must be restarted for the change to take effect.

You should verify the specified location before issuing certificates that include it.

Community Additions