Access to job information (AIA)

Basics: Finding certificates and validating the certification path

In order to determine whether a certificate has been issued by a certification authority that has been classified as trustworthy, a trust chain must be formed. To do this, all certificates in the chain must be determined and checked. Microsoft CryptoAPI builds all possible certificate chains and returns those with the highest quality to the requesting application.

Token for CDP and AIA configuration of a certification authority

The following is an overview of the tokens for the CDP and AIA configuration of a certification authority.

Public Key Infrastructures (PKI) basics

A public key infrastructure comprises all components (hardware, software, people and processes) required for the use of digital certificates. A PKI consists of one or more certification authorities (CA). The tasks of a PKI include:

Ensuring the authenticity of keys, i.e. establishing a traceable link between a key and its origin to prevent misuse.
Revocation of certificates, i.e., ensuring that decommissioned or compromised (e.g., stolen) keys can no longer be used.
Guarantee of liability (non-repudiation), i.e., the owner of a key cannot deny that it belongs to him.
Enforcement of policies, i.e. standardized procedures for the use of certificates.

Use Microsoft Network Load Balancing (NLB) for revocation list distribution points (CDP), access to job information (AIA), and online responders (OCSP).

It is generally a good idea to ensure the availability of CRL Distribution Points (CDP), Authority Information Access (AIA), and if available, Online Responders (OCSP) at all times.

Access to the revocation information is even more critical than to the certificate authority itself. If the revocation status of a certificate cannot be checked, it is possible (depending on the application) that the certificate is not considered trustworthy and the associated IT service cannot be used.