Install the Certification Authority

Applies to: Windows Server (Semi-Annual Channel), Windows Server 2016

You can use this procedure to install Active Directory Certificate Services (AD CS) so that you can enroll a server certificate to servers that are running Network Policy Server (NPS), Routing and Remote Access Service (RRAS), or both.

• Before you install Active Directory Certificate Services, you must name the computer, configure the computer with a static IP address, and join the computer to the domain. For more information on how to accomplish these tasks, see the Windows Server 2016 Core Network Guide.
• To perform this procedure, the computer on which you are installing AD CS must be joined to a domain where Active Directory Domain Services (AD DS) is installed.

Membership in both the Enterprise Admins and the root domain’s Domain Admins group is the minimum required to complete this procedure.

To perform this procedure by using Windows PowerShell, open Windows PowerShell and type the following command, and then press ENTER.

Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools

After AD CS is installed, type the following command and press ENTER.

Install-AdcsCertificationAuthority -CAType EnterpriseRootCA

To install Active Directory Certificate Services

If you want to use Windows PowerShell to install Active Directory Certificate Services, see Install-AdcsCertificationAuthority for cmdlets and optional parameters.

Log on as a member of both the Enterprise Admins group and the root domain’s Domain Admins group.

In Server Manager, click Manage, and then click Add Roles and Features. The Add Roles and Features Wizard opens.

In Before You Begin, click Next.

The Before You Begin page of the Add Roles and Features Wizard is not displayed if you have previously selected Skip this page by default when the Add Roles and Features Wizard was run.

In Select Installation Type, ensure that Role-Based or feature-based installation is selected, and then click Next.

In Select destination server, ensure that Select a server from the server pool is selected. In Server Pool, ensure that the local computer is selected. Click Next.

In Select Server Roles, in Roles, select Active Directory Certificate Services. When you are prompted to add required features, click Add Features, and then click Next.

In Select features, click Next.

In Active Directory Certificate Services, read the provided information, and then click Next.

In Confirm installation selections, click Install. Do not close the wizard during the installation process. When installation is complete, click Configure Active Directory Certificate Services on the destination server. The AD CS Configuration wizard opens. Read the credentials information and, if needed, provide the credentials for an account that is a member of the Enterprise Admins group. Click Next.

In Role Services, click Certification Authority, and then click Next.

On the Setup Type page, verify that Enterprise CA is selected, and then click Next.

On the Specify the type of the CA page, verify that Root CA is selected, and then click Next.

On the Specify the type of the private key page, verify that Create a new private key is selected, and then click Next.

On the Cryptography for CA page, keep the default settings for CSP (RSA#Microsoft Software Key Storage Provider) and hash algorithm (SHA2), and determine the best key character length for your deployment. Large key character lengths provide optimal security; however, they can impact server performance and might not be compatible with legacy applications. It is recommended that you keep the default setting of 2048. Click Next.

On the CA Name page, keep the suggested common name for the CA or change the name according to your requirements. Ensure that you are certain the CA name is compatible with your naming conventions and purposes, because you cannot change the CA name after you have installed AD CS. Click Next.

On the Validity Period page, in Specify the validity period, type the number and select a time value (Years, Months, Weeks, or Days). The default setting of five years is recommended. Click Next.

On the CA Database page, in Specify the database locations, specify the folder location for the certificate database and the certificate database log. If you specify locations other than the default locations, ensure that the folders are secured with access control lists (ACLs) that prevent unauthorized users or computers from accessing the CA database and log files. Click Next.

In Confirmation, click Configure to apply your selections, and then click Close.

Server Certificate Deployment Overview

Applies to: Windows Server (Semi-Annual Channel), Windows Server 2016

This topic contains the following sections.

Server certificate deployment components

You can use this guide to install Active Directory Certificate Services (AD CS) as an Enterprise root certification authority (CA) and to enroll server certificates to servers that are running Network Policy Server (NPS), Routing and Remote Access service (RRAS), or both NPS and RRAS.

If you deploy SDN with certificate-based authentication, servers are required to use a server certificate to prove their identities to other servers so that they achieve secure communications.

The following illustration shows the components that are required to deploy server certificates to servers in your SDN infrastructure.

In the illustration above, multiple servers are depicted: DC1, CA1, WEB1, and many SDN servers. This guide provides instructions for deploying and configuring CA1 and WEB1, and for configuring DC1, which this guide assumes you have already installed on your network. If you have not already installed your Active Directory domain, you can do so by using the Core Network Guide for Windows Server 2016.

For more information on each item depicted in the illustration above, see the following:

CA1 running the AD CS server role

In this scenario, the Enterprise Root certification authority (CA) is also an issuing CA. The CA issues certificates to server computers that have the correct security permissions to enroll a certificate. Active Directory Certificate Services (AD CS) is installed on CA1.

For larger networks or where security concerns provide justification, you can separate the roles of root CA and issuing CA, and deploy subordinate CAs that are issuing CAs.

In the most secure deployments, the Enterprise Root CA is taken offline and physically secured.

CAPolicy.inf

Before you install AD CS, you configure the CAPolicy.inf file with specific settings for your deployment.

Copy of the RAS and IAS servers certificate template

When you deploy server certificates, you make one copy of the RAS and IAS servers certificate template and then configure the template according to your requirements and the instructions in this guide.

You utilize a copy of the template rather than the original template so that the configuration of the original template is preserved for possible future use. You configure the copy of the RAS and IAS servers template so that the CA can create server certificates that it issues to the groups in Active Directory Users and Computers that you specify.

Additional CA1 configuration

The CA publishes a certificate revocation list (CRL) that computers must check to ensure that certificates that are presented to them as proof of identity are valid certificates and have not been revoked. You must configure your CA with the correct location of the CRL so that computers know where to look for the CRL during the authentication process.

WEB1 running the Web Services (IIS) server role

On the computer that is running the Web Server (IIS) server role, WEB1, you must create a folder in Windows Explorer for use as the location for the CRL and AIA.

Virtual directory for the CRL and AIA

After you create a folder in Windows Explorer, you must configure the folder as a virtual directory in Internet Information Services (IIS) Manager, as well as configuring the access control list for the virtual directory to allow computers to access the AIA and CRL after they are published there.

DC1 running the AD DS and DNS server roles

DC1 is the domain controller and DNS server on your network.

Group Policy default domain policy

After you configure the certificate template on the CA, you can configure the default domain policy in Group Policy so that certificates are autoenrolled to NPS and RAS servers. Group Policy is configured in AD DS on the server DC1.

DNS alias (CNAME) resource record

You must create an alias (CNAME) resource record for the Web server to ensure that other computers can find the server, as well as the AIA and the CRL that are stored on the server. In addition, using an alias CNAME resource record provides flexibility so that you can use the Web server for other purposes, such as hosting Web and FTP sites.

NPS1 running the Network Policy Server role service of the Network Policy and Access Services server role

The NPS is installed when you perform the tasks in the Windows Server 2016 Core Network Guide, so before you perform the tasks in this guide, you should already have one or more NPSs installed on your network.

Group Policy applied and certificate enrolled to servers

After you have configured the certificate template and autoenrollment, you can refresh Group Policy on all target servers. At this time, the servers enroll the server certificate from CA1.

Server certificate deployment process overview

The details of how to perform these steps are provided in the section Server Certificate Deployment.

The process of configuring server certificate enrollment occurs in these stages:

On WEB1, install the Web Server (IIS) role.

On DC1, create an alias (CNAME) record for your Web server, WEB1.

Configure your Web server to host the CRL from the CA, then publish the CRL and copy the Enterprise Root CA certificate into the new virtual directory.

On the computer where you are planning to install AD CS, assign the computer a static IP address, rename the computer, join the computer to the domain, and then log on to the computer with a user account that is a member of the Domain Admins and Enterprise Admins groups.

On the computer where you are planning to install AD CS, configure the CAPolicy.inf file with settings that are specific to your deployment.

Install the AD CS server role and perform additional configuration of the CA.

Copy the CRL and CA certificate from CA1 to the share on the Web server WEB1.

On the CA, configure a copy of the RAS and IAS Servers certificate template. The CA issues certificates based on a certificate template, so you must configure the template for the server certificate before the CA can issue a certificate.

Configure server certificate autoenrollment in Group Policy. When you configure autoenrollment, all servers that you have specified with Active Directory group memberships automatically receive a server certificate when Group Policy on each server is refreshed. If you add more servers later, they will automatically receive a server certificate, too.

Refresh Group Policy on servers. When Group Policy is refreshed, the servers receive the server certificate, which is based on the template that you configured in the previous step. This certificate is used by the server to prove its identity to client computers and other servers during the authentication process.

All domain member computers automatically receive the Enterprise Root CA’s certificate without the configuration of autoenrollment. This certificate is different than the server certificate that you configure and distribute by using autoenrollment. The CA’s certificate is automatically installed in the Trusted Root Certification Authorities certificate store for all domain member computers so that they will trust certificates that are issued by this CA.

Verify that all servers have enrolled a valid server certificate.

Certification Authority Guidance

Applies To: Windows Server 2012 R2, Windows Server 2012

A certification authority (CA) is responsible for attesting to the identity of users, computers, and organizations. The CA authenticates an entity and vouches for that identity by issuing a digitally signed certificate. The CA can also manage, revoke, and renew certificates.

A certification authority can refer to following:

An organization that vouches for the identity of an end user

A server that is used by the organization to issue and manage certificates

By installing the Certification Authority role service of Active Directory Certificate Services (AD CS), you can configure your Windows server to act as a CA.

Before you install the CA role service, you should:

Plan a public key infrastructure (PKI) that is appropriate for your organization.

Install and configure a Hardware Security Module (HSM) according to the HSM vendor instructions, if you are planning to use one.

Create an appropriate CAPolicy.inf, if you want to modify the default installation settings.

Plan for PKI

To ensure that your organization can take full advantage of your Active Directory Certificate Services (AD CS) installation, you must plan the PKI deployment appropriately. You should determine how many CAs you will install and in what configuration before you install any CA. Creating an appropriate PKI design can be time consuming, but it is important for the success of your PKI.

For more information and resources, see PKI Design Guidance in Microsoft TechNet.

Use an HSM

Using a hardware security module (HSM) can enhance the security of the CA and the PKI.

An HSM is a dedicated hardware device that is managed separately from the operating system. These modules provide a secure hardware store for CA keys, in addition to a dedicated cryptographic processor to accelerate signing and encrypting operations. The operating system utilizes the HSM through the CryptoAPI interfaces, and the HSM functions as a cryptographic service provider (CSP) device.

HSMs typically are PCI adapters, but they are also available as network-based appliances, serial devices, and USB devices. If an organization plans to implement two or more CAs, you can install a single network-based HSM and share it among multiple CAs.

To set up a CA by using an HSM, the HSM must be installed and configured before you set up any CAs with keys that will be stored on the HSM.

Consider a CAPolicy.inf file

The CAPolicy.inf file is not required to install AD CS, but it can be used to customize the settings of the CA. The CAPolicy.inf file contains various settings that are used when installing a CA or when renewing the CA certificate. The CAPolicy.inf file must be created and stored in the %systemroot% directory (typically C:\Windows) for it to be used.

The settings that you include in the CAPolicy.inf file depend largely on the deployment type that you want to create. For example, a root CA might have a CAPolicy.inf file that looks like this:

Whereas a CAPolicy.inf file for an enterprise that is issuing a CA might look like this:

Select CA configuration settings

The following sections describe the configuration options that you will select after installing the CA binary installation files.

Select setup type

Enterprise CAs are integrated with Active Directory Domain Services (AD DS). They publish certificates and certificate revocation lists (CRLs) to AD DS. Enterprise CAs use information that is stored in AD DS, including user accounts and security groups, to approve or deny certificate requests. Enterprise CAs use certificate templates. When a certificate is issued, the Enterprise CA uses information in the certificate template to generate a certificate with the appropriate attributes for that certificate type.

If you want to enable automated certificate approval and automatic user certificate enrollment, use Enterprise CAs to issue certificates. These features are available only when the CA infrastructure is integrated with Active Directory. Additionally, only Enterprise CAs can issue certificates that enable smart card sign-in, because this process requires that smart card certificates are mapped automatically to the user accounts in Active Directory.

By default, you must be a member of the Enterprise Admins group to install and configure an Enterprise CA. If you want a low-privileged domain administrator to install and configure an Enterprise CA, see Delegated Installation for an Enterprise Certification Authority.

Stand-alone CAs do not require AD DS, and they do not use certificate templates. If you use stand-alone CAs, all information about the requested certificate type must be included in the certificate request. By default, all certificate requests that are submitted to stand-alone CAs are held in a pending queue until a CA administrator approves them. You can configure stand-alone CAs to issue certificates automatically upon request, but this is less secure, and it is usually not recommended because the requests are not authenticated.

From a performance perspective, using stand-alone CAs with automatic issuance enables you to issue certificates at a faster rate than you can by using enterprise CAs. However, unless you are using automatic issuance, using stand-alone CAs to issue large volumes of certificates usually comes at a high administrative cost because an administrator must manually review and then approve or deny each certificate request. For this reason, stand-alone CAs are best used with public key security applications on extranets and on the Internet, when users do not have user accounts and when the volume of certificates to be issued and managed is relatively low

You must use stand-alone CAs to issue certificates when you are using a non-Microsoft directory service or when AD DS is not available. You can use both enterprise and stand-alone certification authorities in your organization, as explained in the following table.

Option	Enterprise CA	Standalone CA
Publish certificates in Active Directory and use Active Directory to validate certificate requests.	Yes	No
Take the CA offline.	Not recommended	Yes
Configure the CA to issue certificates automatically.	Yes	Not recommended
Allow administrators to approve certificate requests manually.	Yes	Yes
Allow for the use of certificate templates.	Yes	No
Authenticate requests to Active Directory.	Yes	No

Choose CA type

Enterprise and stand-alone CAs can be configured as root CAs or as subordinate CAs. Subordinate CAs can further be configured as intermediate CAs (also referred to as a policy CA) or issuing CAs

Designate a root CA

A root CA is the CA that is at the top of a certification hierarchy. It must be trusted unconditionally by clients in your organization. All certificate chains terminate at a root CA. Whether you use enterprise or stand-alone CAs, you need to designate a root CA.

Since the root CA is the top CA in the certification hierarchy, the Subject field of the certificate that is issued by a root CA has the same value as the Issuer field of the certificate. Likewise, because the certificate chain terminates when it reaches a self-signed CA, all self-signed CAs are root CAs. The decision to designate a CA as a trusted root CA can be made at the enterprise level or locally by the individual IT administrator.

A root CA serves as the foundation upon which you base your certification authority trust model. It guarantees that the subject’s public key corresponds to the identity information shown in the subject field of the certificates it issues. Different CAs might also verify this relationship by using different standards; therefore, it is important to understand the policies and procedures of the root certification authority before choosing to trust that authority to verify public keys.

The root CA is the most important CA in your hierarchy. If your root CA is compromised, all CAs in the hierarchy and all certificates issued from it are considered compromised. You can maximize the security of the root CA by keeping it disconnected from the network and by using subordinate CAs to issue certificates to other subordinate CAs or to end users.

Subordinate CAs

CAs that are not root CAs are considered subordinate. The first subordinate CA in a hierarchy obtains its CA certificate from the root CA. This first subordinate CA can use this key to issue certificates that verify the integrity of another subordinate CA. These higher subordinate CAs are referred to as intermediate CAs. An intermediate CA is subordinate to a root CA, but it serves as a higher certifying authority to one or more subordinate CAs.

An intermediate CA is often referred to as a policy CA because it is typically used to separate classes of certificates that can be distinguished by policies. For example, policy separation includes the level of assurance that a CA provides or the geographical location of the CA to distinguish different end-entity populations. A policy CA can be online or offline.

It is not possible to convert a root CA to a subordinate CA, or vice versa.

Store a private key

The private key is part of the CA identity, and it must be protected from compromise. Many organizations protect CA private keys by using a hardware security module (HSM). If an HSM is not used, the private key is stored on the CA computer. For more information, see Hardware Security Module (HSM) in Microsoft TechNet.

Offline CAs should be stored in secure locations and not connected to the network. Issuing CAs use their private keys when issuing certificates, so the private key must be accessible (online) while the CA is in operation. In all cases, the CA and its private key on the CA should be physically protected.

Locate an existing key

If you already have an existing private key that you want to use during installation, you can use the Existing Key screen to locate that key. You can use the Change button to modify the cryptographic provider, and optionally, the CA that you want to search for an existing key.

Locate an existing certificate

If you already have a certificate that contains the private key for the CA, you can use the Existing Certificate screen to locate it. You can use the Import button to open the Import Existing Certificate dialog box, and then locate your existing PKCS #12 file.

Select cryptographic options

Selecting cryptographic options for a certification authority (CA) can have significant security, performance, and compatibility implications for that CA. Although the default cryptographic options may be suitable for most CAs, the ability to implement custom options can be useful to administrators and application developers with a more advanced understanding of cryptography and a need for this flexibility. Cryptographic options can be implemented by using cryptographic service providers (CSPs) or key storage providers (KSPs).

When using an RSA certificate for a CA, ensure that the key length is at least 2048 bits. You must not attempt to use an RSA certificate below 1024 bits for the CA. The CA service (certsvc) will not start if an RSA key of less than 1024 bits is installed.

CSPs are hardware and software components in Windows operating systems that provide generic cryptographic functions. CSPs can be written to provide a variety of encryption and signature algorithms.

KSPs can provide strong key protection for computers running a minimum server version Windows Server 2008 R2 and a minimum client version of Windows Vista.

When you select the provider, hash algorithm, and key length, carefully consider what cryptographic options the applications and devices that you intend to use can support. Although it’s a best practice to select the strongest security options, not all applications and devices can support these. If your support requirements change and you are then able to use the stronger security options, such as migrating to a KSP and a stronger hash algorithm, see Migrating a Certification Authority Key from a Cryptographic Service Provider (CSP) to a Key Storage Provider (KSP).

Allow administrator interaction when the private key is accessed by the CA is an option that is typically used with hardware security modules (HSMs). This allows the cryptographic provider to prompt the user for additional authentication when the private key of the CA is accessed. This option can be used to help prevent unapproved use of the CA and its private key by requiring the administrator to enter a password before every cryptographic operation.

The built-in cryptographic providers support specific key lengths and hash algorithms as described in the following table.

Cryptographic provider	Key lengths	Hash algorithm
Microsoft Base Cryptographic Provider v1.0	— 512 — 1024 — 2048 — 4096	— SHA1 — MD2 — MD4 — MD5
Microsoft Base DSS Cryptographic Provider	— 512 — 1024	SHA1
Microsoft Base Smart Card Crypto Provider	— 1024 — 2048 — 4096	— SHA1 — MD2 — MD4 — MD5
Microsoft Enhanced Cryptographic Provider v1.0	— 512 — 1024 — 2048 — 4096	— SHA1 — MD2 — MD4 — MD5
Microsoft Strong Cryptographic Provider	— 512 — 1024 — 2048 — 4096	— SHA1 — MD2 — MD4 — MD5
RSA#Microsoft Software Key Storage Provider	— 512 — 1024 — 2048 — 4096	— SHA1 — SHA256 — SHA384 — SHA512 — MD2 — MD4 — MD5
DSA#Microsoft Software Key Storage Provider	— 512 — 1024 — 2048	SHA1
ECDSA_P256#Microsoft Software Key Storage Provider	256	— SHA1 — SHA256 — SHA384 — SHA512
ECDSA_P384#Microsoft Software Key Storage Provider	384	— SHA1 — SHA256 — SHA384 — SHA512
ECDSA_P521#Microsoft Software Key Storage Provider	521	— SHA1 — SHA256 — SHA384 — SHA512
RSA#Microsoft Smart Card Key Storage Provider	— 1024 — 2048 — 4096	— SHA1 — SHA256 — SHA384 — SHA512 — MD2 — MD4 — MD5
ECDSA_P256#Microsoft Smart Card Key Storage Provider	256	— SHA1 — SHA256 — SHA384 — SHA512
ECDSA_P384#Microsoft Smart Card Key Storage Provider	384	— SHA1 — SHA256 — SHA384 — SHA512
ECDSA_P521#Microsoft Smart Card Key Storage Provider	521	— SHA1 — SHA256 — SHA384 — SHA512

Establish a CA name

Before you configure certification authorities (CAs) in your organization, you should establish a CA naming convention.

You can create a name by using any Unicode character, but you might want to use the ANSI character set if interoperability is a concern. For example, certain types of routers will not be able to use the Network Device Enrollment Service to enroll for certificates if the CA name contains special characters such as an underscore.

If you use non-Latin characters (such as Cyrillic, Arabic, or Chinese characters), your CA name must contain fewer than 64 characters. If you use only non-Latin characters, your CA name can be no more than 37 characters in length.

In Active Directory Domain Services (AD DS), the name that you specify when you configure a server as a CA becomes the common name of the CA, and this name is reflected in every certificate that the CA issues. For this reason, it is important that you do not use the fully qualified domain name for the common name of the CA. This way, malicious users who obtain a copy of a certificate cannot identify and use the fully qualified domain name of the CA to create a potential security vulnerability.

The CA name should not be identical to the name of the computer (NetBIOS or DNS name). Also, you cannot change the name of a server after Active Directory Certificate Services (AD CS) is installed without invalidating all the certificates that are issued by the CA. For additional considerations regarding CA names, see TechNet Wiki article: Considerations for Certification Authority (CA) Names.

To change the server name after AD CS is installed, you must uninstall the CA, change the name of the server, reinstall the CA using the same keys and modify the registry to use the existing CA keys and database. You do not have to reinstall a CA if you rename a domain; however, you will have to reconfigure the CA to support the name change.

Obtain a certificate request

After a root certification authority (CA) has been installed, many organizations will install one or more subordinate CAs to implement policy restrictions on the public key infrastructure (PKI) and to issue certificates to end clients. Using at least one subordinate CA can help protect the root CA from unnecessary exposure. When you install a subordinate CA, you must obtain a certificate from the parent CA.

If the parent CA is online, you can use the Send a certificate request to a parent CA option, and select the parent CA by CA name or computer name.

If the parent CA is offline, you should use the Save a certificate request to file on the target machine option. The procedure for this will be unique to the parent CA. At a minimum, the parent CA should provide a file that contains the subordinate CA’s newly issued certificate, preferably its full certification path.

If you get a subordinate CA certificate that does not include the full certification path, the new subordinate CA that you install must be able to build a valid CA chain when it starts. Do the following to create a valid certification path:

Install the parent CA’s certificate in the Intermediate Certification Authorities certificate store of the computer if the parent CA is not a root CA.

Install the certificates of any other intermediate CA in the chain.

Install the certificate of the root CA into the Trusted Root Certification Authorities store.

These certificates should be installed in the certificate store before you install the CA certificate on the subordinate CA you have just set up.

Verify the validity period

Certificate-based cryptography uses public-key cryptography to protect and sign data. Over time, attackers could obtain data that was protected with the public key and attempt to derive the private key from it. Given enough time and resources, this private key could be compromised, effectively rendering all protected data unprotected. Also the names that are guaranteed by a certificate may need to be changed over time. Because a certificate is a binding between a name and a public key, when either of these change, the certificate should be renewed.

Every certificate has a validity period. After the end of the validity period, the certificate is no longer considered an acceptable or usable credential.

CAs cannot issue certificates that are valid beyond their own validity period. A best practice is to renew the CA certificate when half of its validity period is expired. When installing a CA, you should plan this date and ensure that it is recorded as a future task.

Choose a CA database

As in many databases, the certification authority’s database is a file on the hard drive. In addition to this file, other files serve as the transaction logs, and they receive all modifications to the database before the changes are made. Because these files may be accessed frequently and simultaneously, it is best to keep the database and transaction logs on separate hard drives or high-performance disk configurations, such as striped volumes.

The location of the certificate database and log files are kept in the following registry location:

The registry contains following values:

You can move the certificate database and log files after installation. For information, see article 283193in the Microsoft Knowledge Base.

Configure the CA

After a root or subordinate CA is installed, you must configure the Authority Information Access (AIA) and CRL distribution point (CDP) extensions before the CA issues any certificates. The AIA extension specifies where to find up-to-date certificates for the CA. The CDP extension specifies where to find up-to-date CRLs that are signed by the CA. These extensions apply to all certificates that are issued by that CA.

Configuring these extensions ensures that this information is included in each certificate that the CA issues so that it is available to all clients. This ensures that PKI clients experience the least possible number of failures due to unverified certificate chains or certificate revocations, which can result in unsuccessful VPN connections, failed smart card sign-ins, or unverified email signatures.

As a CA administrator, you can add, remove, or modify CRL distribution points and the locations for CDP and AIA certificate issuance. Modifying the URL for a CRL distribution point only affects newly issued certificates. Previously issued certificates will continue to reference the original location, which is why you should establish these locations before your CA distributes any certificates.

Consider these guidelines when you configure CDP extension URLs:

Avoid publishing delta CRLs on offline root CAs. Because you do not revoke many certificates on an offline root CA, a delta CRL is probably not needed.

Adjust the default LDAP:/// and HTTP:// URL locations on the Extensions tab of the certification authority’s Properties Extension tab according to your needs.

Publish a CRL on an HTTP Internet or extranet location so that users and applications outside the organization can perform certificate validation. You can publish the LDAP and HTTP URLs for CDP locations to enable clients to retrieve CRL data with HTTP and LDAP.

Remember that Windows clients always retrieve the list of URLs in sequential order until a valid CRL is retrieved.

Use HTTP CDP locations to provide accessible CRL locations for clients running non-Windows operating systems.

For more information about CRLs and delta CRLs, see Configuring Certificate Revocation.

Windows PowerShell and certutil support variable numbers (preceded by a percent (%) sign) to help in publishing CDP and AIA locations. The CA’s Properties Extension tab supports bracketed variables. The following table equates the variables between the interfaces and describes their meanings.

Variable	Extensions tab name	Description
%1	The DNS name for the CA computer. If connected to a DNS domain, it is the fully qualified domain name; otherwise, it is the hostname of the computer.
%2	The NetBIOS name of the CA server
%3	The name of the CA
%4	This allows each additional revision of the certificate to have a unique suffix.
%4	None	Not used
%6	The location of the configuration container in Active Directory Domain Services (AD DS)
%7	The name of the CA truncated to 32 characters with a hash at the end
%8	This inserts a suffix on the file name when publishing a CRL to a file or URL location.
%9	When a delta CRL is published, this replaces the CRLNameSuffix variable with a separate suffix to distinguish the delta CRL from the CRL.
%10	The object class identifier for CRL distribution points, which is used when publishing to an LDAP URL.
%11	The object class identifier for a CA, which is used when publishing to an LDAP URL.

Publish the AIA extension

The AIA extension tells the client computers where they can find the certificate to be verified. This allows the client to confirm whether the certificate can be trusted.

You can configure the AIA extension by using the Certification Authority interface, Windows PowerShell, or the certutil command. The following table describes the options that you can use with the AIA extension by using these methods.

Interface check box name	Windows PowerShell parameter	Certutil value
Include in the AIA extension of issued certificate	-AddToCertificateAia	2
Include in the online certificate status protocol (OCSP) extension	-AddToCertificateOcsp	32

The examples in this section for publishing the AIA extension represent the following scenario:

The domain name is corp.contoso.com.

There is a web server named App1 in the domain.

App1 has a shared folder named PKI that allows the CA Read and Write permissions.

App1 has a DNS CNAME of www and a shared virtual directory named PKI.

The first protocol that client computers should use for the AIA information is HTTP.

The second protocol that client computers should use for the AIA information is LDAP.

The CA that is being configured is an online issuing CA.

OCSP is not in use.

Use the interface to publish the AIA extension

The interface uses the variables and check box names that are described in the previous tables. You can access the interface through the Certification Authority interface. From the contents pane, right-click the CA, click Properties, and then click Extensions. In Select extension, click Authority Information Access (AIA).

Figure 1 AIA extension menu

The locations and settings configured in the user interface are as follows:

C:\Windows\system32\CertSrv\CertEnroll\ _ .crt

• Include in the AIA extension of issued certificates

file://\\App1.corp.contoso.com\pki\ _ .crt

ldap:///CN= ,CN=AIA,CN=Public Key Services,CN=Services,

• Include in the AIA extension of issued certificates

Use Windows PowerShell to publish the AIA extension

The following Windows PowerShell commands can be used to configure the AIA extension for the given scenario:

Use certutil to publish the AIA extension

The following certutil command can be used to configure the AIA extension for the given scenario:

Publish the CDP extension

The CDP extension tells client computers where they can find the most recent CRL, so the client can confirm that a particular certificate has not been revoked.

You can configure the CDP extension by using the Certification Authority interface, Windows PowerShell, or the certutil command. The following table describes the options that you can use with the CDP extension by using these methods.

Interface check box name	Windows PowerShell parameter	Certutil value
Publish CRLs to this location	-PublishToServer	1
Include in all CRLs. (Specifies where to publish in Active Directory when publishing manually.)	-AddToCrlCdp	8
Include in CRLs. (Clients use this to find the delta CRL locations.)	-AddToFreshestCrl	4
Include in the CDP extension of issued certificates.	-AddToCertificateCdp	2
Publish Delta CRLs to this location.	-PublishDeltaToServer	64
Include in the IDP extension of issued CRLs.	-AddToCrlIdp	128

The Issuing Distribution Point (IDP) extension is used by non-Windows clients to verify certificate revocation. The IDP extension allows partitioned CRLs to be deployed when using third-party CAs. Partitioned CRLs allow a third-party CA to publish CRLs with only specific certificate types within each CRL. For example, you can have separate CRLs for end certificates versus CA certificates. Specifically, the following options can be set in the IDP:

If you are allowing delta CRL publishing to an Internet Information Services (IIS) web server, you must modify the default IIS configuration by setting allowDoubleEscaping=true of the requestFiltering element in the system.web section of the IIS configuration. For example, if you want to allow double escaping for the PKI virtual directory of the default Web site on IIS, run the following command on the IIS web server: appcmd set config «Default Web Site/pki» -section:system.webServer/security/requestFiltering -allowDoubleEscaping:true . For more information, see AD CS: Web server should allow URI containing the “+” character to enable publishing of delta CRLs.

The examples in this section for publishing the CDP extension represent the following scenario:

The domain name is corp.contoso.com.

There is a web server named App1 in the domain.

App1 has a shared folder named PKI that allows the CA Read and Write permissions.

App1 has a DNS CNAME of www and a shared virtual directory named PKI.

The first protocol that client computers should use for the CDP information is HTTP.

The second protocol that client computers should use for the CDP information is LDAP.

The CA that is being configured is an online issuing CA.

IDP is not in use.

Use the interface to publish the CDP extension

The interface uses the variables and check box names that are described in the previous tables. You can access the interface through the Certification Authority interface. From the contents pane, right-click the CA, click Properties, and then click Extensions. In Select extension, click CRL Distribution Point (CDP).

Figure 2 CDP extension menu

The locations and settings configured in the interface are as follows:

Publish CRLs to this location

Publish delta CRLs to this location

Include in CRLs. Clients use this to find delta CRL locations.

Include in the CDP extension of issued certificates

Publish CRLs to this location

Publish Delta CRLs to this location

ldap:///CN= ,CN= ,CN=CDP,CN=Public Key Services,CN=Services,

Include in all CRLs. Specifies where to publish in the Active Directory when publishing manually.

Include in the CDP extension of certificates

Use Windows PowerShell to publish the CDP extension

The following Windows PowerShell commands are used to configure the CDP extension for the given scenario:

If you use Windows PowerShell to add CDP paths, existing paths remain in place. The first Windows PowerShell command in the example removes all the existing paths. For more information about using Windows PowerShell to remove CDP paths, see Remove-CACrlDistributionPoint.

Use certutil to publish the CDP extension

The following certutil command configures the CDP extension for the given scenario:

To publish the CRL, you can run the command certutil -crl on the CA from Windows PowerShell or a command prompt run as administrator. For more information about CRL configuration and publishing, see Configuring Certificate Revocation.

Verify the configuration

To verify the CA configuration, you can run the following commands from Windows PowerShell or a from a Command Prompt window:

Command	Description
Certutil -CAInfo	Shows the status of the names, locale, object identifiers (OIDs), and CRLs for the CA.
Certutil -getreg	Displays the CA registry configuration.
Certutil -ADCA	Confirms the configuration of enterprise CAs.

You can use the Enterprise PKI View (PKIView.msc) tool to check your AIA and CDP publication configurations. For more information, see the Enterprise PKI.

You can also use the Online Responder role service to check certificate revocation. For more information about Online Responder, see Online Responder Installation, Configuration, and Troubleshooting Guide.