1

A default installation of a Microsoft PKI running Windows includes LDAP URL's as first within CRL distribution points (CDP's) and Authority Information Access (AIA).

Question 1 :

I want to issue a certificate from my windows certificate authority server to Cisco DNA device but want my HTTP-type CRL being included as first with my certificate and internal LDAP URL's as second within CDP and AIA extensions

Question 2 :

I want to issue a certificate from my windows certificate authority server to Cisco DNA device but want only HTTP-type CRL being included with my certificate and remove internal LDAP URL's within CDP and AIA extensions

Please let me know if anyone of this configuration is possible with the certificate that can be issued from windows certificate authority ?

nithyanadham singaravadivelu
  • 11
  • 1

1 Answers1

0

Yes, both are possible. But do note that these are server wide settings, so the values will be the same for all issued certificates.

The setting is on the CA's properties, under Extensions. However, you cannot reorder them from there without deleting them and adding them in the required order. However, you can delete the line you don't need quite easily.

It is probably easier to find the setting in the registry (after making a backup of course) then reordering them there. Look under:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<CA Name>\

You'll find CACertPublicationURLs and CRLPublicationURLs. Both are multi-strings (multi-line strings). Either re-order, or remove the entries you don't need, ensuring the last line is a blank line. Once you've done that, restart the CA service.

Note that Microsoft recommend not using LDAP for both CRL and CA certificates (AIA), so if you want to follow their recommendation, simply remove the LDAP lines either in the GUI or in the registry.

garethTheRed
  • 4,539
  • 14
  • 22
  • Hi Gareth, Thank you for your response, I understand this is a server wide setting and we cannot explicitly do this for one specific certificate. However please clarify me, removing the LDAP URL from both CRL and AIA would affect the previously issued certificates ? Should i need to reissue all the existing certificates ? Also please let me know in case of any issues, what is the best way to revert the changes ? – nithyanadham singaravadivelu Mar 29 '23 at 18:50
  • If you've previously issued certificates from this CA, then you will need to continue to publish _to_ LDAP so that those older certificates can still find the CRL in LDAP. You should only remove the entry which has the __Include in the CDP extension of issued certificates__ option selected. – garethTheRed Mar 29 '23 at 19:03