Configure the CDP and AIA Extensions on CA1
Updated: March 16, 2016
Applies To: Windows Server 2012
You can use this procedure to configure the Certificate Revocation List (CRL) Distribution Point (CDP) and the Authority Information Access (AIA) settings on CA1.
To perform this procedure, you must be a member of Domain Admins.
To configure the CDP and AIA extensions on CA1
In Server Manager, click Tools and then click Certification Authority.
In the Certification Authority console tree, right-click corp-CA1-CA, and then click Properties.
Note
The name of your CA is different if you did not name the computer CA1 and your domain name is different than the one in this example. The CA name is in the format domain-CAComputerName-CA.
Click the Extensions tab. Ensure that Select extension is set to CRL Distribution Point (CDP), and in the Specify locations from which users can obtain a certificate revocation list (CRL), do the following:
Select the entry file://\\<ServerDNSName>/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl, and then click Remove. In Confirm removal, click Yes.
Select the entry https://<ServerDNSName>/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl, and then click Remove. In Confirm removal, click Yes.
Select the entry that starts with the path ldap://CN=<CATruncatedName><CRLNameSuffix>,CN=<ServerShortName>, and then click Remove. In Confirm removal, click Yes.
In Specify locations from which users can obtain a certificate revocation list (CRL), click Add. The Add Location dialog box opens.
In Add Location, in Location, type https://pki.corp.contoso.com/pki/\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl, and then click OK. This returns you to the CA properties dialog box.
On the Extensions tab, select the following checkboxes:
Include in CRLs. Clients use this to find the Delta CRL locations
Include in the CDP extension of issued certificates
In Specify locations from which users can obtain a certificate revocation list (CRL), click Add. The Add Location dialog box opens.
In Add Location, in Location, type file://\\pki.corp.contoso.com/pki/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl, and then click OK. This returns you to the CA properties dialog box.
On the Extensions tab, select the following checkboxes:
Publish CRLs to this location
Publish Delta CRLs to this location
Change Select extension to Authority Information Access (AIA), and in the Specify locations from which users can obtain a certificate revocation list (CRL), do the following:
Select the entry that starts with the path ldap://CN=<CATruncatedName>,CN=AIA,CN=Public Key Services, and then click Remove. In Confirm removal, click Yes.
Select the entry https://<ServerDNSName>/CertEnroll/<ServerDNSName>_<CaName><CertificateName>.crt, and then click Remove. In Confirm removal, click Yes.
Select the entry file://\\<ServerDNSName>/CertEnroll/<ServerDNSName>_<CaName><CertificateName>.crt, and then click Remove. In Confirm removal, click Yes.
In Specify locations from which users can obtain a certificate revocation list (CRL), click Add. The Add Location dialog box opens.
In Add Location, in Location, type https://pki.corp.contoso.com/pki/\<ServerDNSName>_<CaName><CertificateName>.crt, and then click OK. This returns you to the CA properties dialog box.
On the Extensions tab, select Include in the AIA of issued certificates.
In Specify locations from which users can obtain a certificate revocation list (CRL), click Add. The Add Location dialog box opens.
In Add Location, in Location, type file://\\pki.corp.contoso.com/pki/<ServerDNSName>_<CaName><CertificateName>.crt, and then click OK. This returns you to the CA properties dialog box.
Important
Ensure that Include in the AIA extension of issued certificates is not selected.
When prompted to restart Active Directory Certificate Services, click No. You will restart the service later.