Token for CDP and AIA configuration of a certification authority

The following is an overview of the tokens for the CDP and AIA configuration of a certification authority.

%1ServerDNSNameThe fully qualified DNS name of the server on which the certificate authority is installed.
%2ServerShortNameThe NETBIOS name of the server on which the certificate authority is installed.
%3CaNameThe Common Name (CN) of the certification authority.
%4CertificateNameThe certificate index ffor the name of the certification authority certificate.
%6ConfigurationContainerThe path to the Configuration Container of the Active Directory forest.
%7CATruncatedNameName of the certification authority limited to 32 characters, with a checksum.
%8CRLNameSuffixThe key index for the name of the blacklists.
%9DeltaCRLAllowedReplaced by a "+" for a delta CRL.
%10CDPObjectClassPlaceholder for the cRLDistributionPoint object class in the LDAP path of the CRL Distribution Point extension...
%11CAObjectClass Placeholder for the certificationAuthority object class in the LDAP path of the Authority Information Access (AIA) extension.

Sensible adjustments

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem and is available under a free license. It can downloaded via GitHub and can be used free of charge.

Make LDAP revocation list paths agnostic from the hostname of the certificate authority server

By default, the following LDAP path is configured for revocation list publishing when a certificate authority is installed.

ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6

The ServerShortName token (%2) ensures that the LDAP path contains the NETBIOS name of the certification authority server. This can cause problems with Migration of the certification authority to another server bring

A simple trick to get around this is to replace the token with CaName (%3), which describes the common name of the certificate authority.

ldap:///CN=%7%8,CN=%3,CN=CDP,CN=Public Key Services,CN=Services,%6

The setting is made in the following registry path:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\{Name-of-certification body>\CRLPublicationURLs

After this configuration adjustment has been made, the certification authority service must be restarted.

In addition, the LDAP path, which now differs from the default, must be created once by first creating a blacklist and then publishing it to Active Directory as Enterprise Administrator.

certutil -f -dspublish {blocklist>.crl

When creating the blacklist, the Event no. 74 logged, since the certificate authority directly tries to publish to LDAP and initially fails. However, after the revocation list has been manually uploaded once, the error no longer occurs.

See also article "Publish a certificate revocation list (CRL) to an Active Directory revocation list distribution point (CDP).„.

Related links:

External sources

One thought on “Token für die CDP- und AIA- Konfiguration einer Zertifizierungsstelle”

Comments are closed.