Saturday, 11 February 2017

Offline standalone root CA install, Server 2012 R2 - Part 2


So, in part 1, we installed our offline root CA called LITCA01. In this part, we’ll configure the AIA and CDP settings so that we can create a subordinate CA which will be used to issue certificates to clients and be joined to the domain.

What is a CDP?

First of all, what is a CDP and what is AIA? Yes, good question!
CDP stands for CRL Distribution Point. CRL stands for Certificate Revocation List. Let’s say you issue a certificate to a web server. Your client then connects to the web server and downloads the certificate (public key). It needs to know if this web server certificate has been revoked or not so to do this, it looks at the certificate extensions (properties on the certificate) and looks for the CDP locations. Usually this is an LDAP or HTTP URL and the client can connect to download the CRL and then work out if the web server certificate has been revoked or not.

What is AIA?

The Authority Information Access (AIA) locations are configured on a CA and they are stamped onto certificates issued by the CA. This information is used by an application or service to get the issuing CA certificate to validate the certificate path.

How to configure an offline standalone root CA CDP and AIA extensions

  • Install IIS and the management tools:
Install-WindowsFeature web-server,web-mgmt-console
  • Make a directory in the default website: C:\inetpub\wwwroot\CertEnroll
  • Open up the Certification Authority console
  • Right click on your CA (LITCA01-CA in our case) and click on properties
  • Click on the extensions tab and click on Add to add a new CDP:
  • Enable Publish CRLs to this location and Publish Delta CRLs to this location
  • Run certutil -crl to create a new CRL and ensure this appears in the folder with the name: C:\inetpub\wwwroot\CertEnroll\LITCA01-CA.crl (your CA name will be different)
  • Configure the http CDP by enabling Include in CRLs. Clients use this to find Delta CRL locations and Include in the CDP extension of issued certificates
  • Now, click on Select extension and choose Authority Information Access (AIA):
    • Add an AIA location:
  • Enable http AIA by ticking Include in the AIA extension of issued certificates
  • Click OK
  • Copy C:\Windows\System32\CertSrv\CertEnroll\litca01_LITCA01-CA.crt to C:\inetpub\wwwroot\CertEnroll\litca01_LITCA01-CA.crt (your CA name will be different so copy the .crt file for your CA)


We’ve now configured a CDP and AIA location for our offline root CA. These will only be needed for our subordinate CAs when they need to renew or reissue their CA certificates. In the next post, we’ll go through how to set up a subordinate enterprise CA which our domain joined clients can use for certificate requests.

1 comment:

  1. Is there also a part to set up the subordinate enterprise CA?!