AD CS: Authority information access locations should include the certificate name suffix

Applies To: Windows Server 2008 R2, Windows Server 2012

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Active Directory Certificate Services Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.

Issue

The location of the certification authority (CA) certificate specified in the authority information access extension is not configured to include the certificate name suffix.

The CA certificate is required by applications to validate certificates presented to them by computers and users. A digital certificate that supports the X.509 version 3 format can include an authority information access extension to specify the Uniform Resource Identifier (URI) of the issuing CA certificate. The URI is used by applications during certificate validation to retrieve the CA certificate.

The certificate name suffix is one of several substitution variables used by a CA to represent components of URIs, such as host and file names. The variables are translated by the CA during certificate issuance to ensure the URIs added to certificate extensions reflect correct locations of the CA certificate. The certificate name suffix represents the CA certificate index value that is incremented each time the CA certificate is renewed.

Because the new and expired certificates are published to the same location, the value of the certificate index is appended to a certificate's file name to create a unique URI. When the certificate name suffix variable is used, the URIs added to certificate extensions immediately reflect the location of the new CA certificate.

The URIs of CA certificates should not be changed after they are published because issued certificates referencing the URIs can be valid beyond the expiration date of the CA certificate.

Impact

Clients may not be able to locate the correct version of the issuing CA's certificate to build a certificate chain, and certificate validation may fail.

If substitution variables are not used, the extension settings must be manually updated when the CA certificate is renewed. Manual configuration increases administration costs and presents a potential for error and delay between certificate renewal and CA configuration. Certificates issued with inaccurate CA certificate locations cannot be validated, which might cause application failure.

Resolution

Use the Certification Authority snap-in to configure the authority information access extension to include the certificate name suffix in each location.

The default locations of the CA certificate are added to the authority information access extension settings during CA installation, and the CA is configured to include the default locations in the extensions of all issued certificates. If the default locations are not present or are not valid, use the following procedure to add valid locations and configure them to be included in issued certificates.

To configure authority information access extension settings

1. Open the Certification Authority snap-in.

2. In the console tree, right-click the CA, and then click Properties.

3. Click the Extensions tab.

4. In Select extension, click Authority Information Access.

5. If the Specify locations list does not include a valid location for the CA certificate, click Add to open the Add Location dialog box, and type a valid location. Click OK. Repeat to add multiple locations.

6. In the Specify locations list, click a location, and then select the Include in the authority information access extension of issued certificates check box.

7. Click OK to save changes. Active Directory Certificate Services must be restarted for the change to take effect.

Additional references

• For more details on configuring extensions, see Specify CRL Distribution Points.

• Premier Support customers can use an intensive PKI Health Check to review this issue in addition to a thorough evaluation of other issues. For more information, see Public Key Infrastructure Server Health Check Datasheet.