0

We have built a tier 2 PKI. Recently we decided to start hosting our CDP & AIA on a seperate webserver. However this was not originally in the design, so now we have problems with the certificate chain as the webserver is included on the Root certificate. Just to verify whether this was the problem i made one of our subordinates publicly accessible for a brief period of time so it could retrieve the Root AIA information on it, and this indeed fixed the certificate chain issue, so I need to include the webserver on the Root AIA certificate info and host the AIA on that server.

So know I can fix our problem by changing the Root AIA url's, adding the webserver to it and reissuing the subordinate certificates, however is there also a way that does not include renewing the subordinate certificates?

kevin rennenberg
  • 73
  • 1
  • 13
  • Can you clarify what you mean by "Root AIA" please? Also, exactly what is included in the Root certificate? Nothing should be. – garethTheRed Apr 06 '20 at 10:32
  • As far as I know you configure the Authority Information Access (AIA) on 2 locations, on the Root CA's AIA extension and on the Subordinate CA's extension. Previously I lncluded the subordinates inetpub folder in which we placed the files from the Root so that clients could access those files there for CRL & Chain verification. However now we have chosen to host those files on a seperate webserver, but that webserver is not included in the Root AIA properties. – kevin rennenberg Apr 06 '20 at 10:39
  • Update: I did some more searching and it seems that the AIA information on the Root is not needed as users are already required to have the Root CA certificate in their trusted CA store. Can you confirm that AIA information on the Root CA is not needed? – kevin rennenberg Apr 06 '20 at 10:47
  • The AIA is used to find the authority which issued the certificate. In the case of the Root CA, it is its own authority and therefore the AIA is pointless. You don't need it on the certificate issued by the Root CA neither as it should be in the relying-party's trust-anchor store. If it's not, then you don't trust it and therefore don't care if the chain builds. Also, note that chains which fail due to inaccessible AIA are signs of ill-configured end-entities as they should present all certificates in the chain to the relying parties and therfore never really need an AIA. – garethTheRed Apr 06 '20 at 10:50
  • 1
    If you change CDP/AIA configuration on root CA, you will have to reissue all certificates below root in order to take changes into effect. – Crypt32 Apr 06 '20 at 13:59

0 Answers0