A default installation of a Microsoft PKI running Windows 2012 R2 includes LDAP URL's within CRL distribution points (CDP's) and Authority Information Access (AIA).
I want to issue certificates outside of my organization but I don't want an internal LDAP address being included with my certificates. Is there any reason to think that removing LDAP addresses from my extensions would cause harm now or in the future?
It is recommended to NOT HAVE LDAP URLs in the CDP/AIA extensions. Instead it is recommended to have one internally and externally accessible and high-available HTTP location.
Edit 31.10.2015:
Official Microsoft recommendation is written in Certificate Revocation Checking in Windows Vista and Windows Server 2008 whitepaper (p.27):
Use HTTP
Although AD DS enables publication of CRLs to all domain controllers in the forest, we recommend implementing HTTP instead of LDAP for revocation information publication. Only HTTP enables the use of the ETag and Cache-Control: Max-age headers providing better support for proxies and more timely revocation information. In addition, HTTP provides better heterogeneous support as HTTP is supported by most Linux, UNIX, and network device clients.
and below:
Limit the Number of URLs
Instead of creating long listings of URLs for OCSP and CRL retrieval, consider limiting the lists to a single OCSP and a single CRL URL. Instead of providing multiple sites, work on ensuring that the sites referenced in the URLs are highly available and can handle the expected bandwidth requirements.
Besides cited above, I would add a brief explanation. When certificate chaining engine (CCE) uses CDP/AIA extension to download requested object (doesn't matter, certificate or CRL, or whatever else), CCE attempts URLs in the order as they listed in the extension. If the first URL fails, a second URL (if presented) will be attempted and so on. Microsoft CryptoAPI uses 15 second timeout for the first URL and twice shorter than previous for subsequent URLs (i.e. 7,5 seconds for second URL and so on).
When certificate is used in the Active Directory domain environment, there are no problems with LDAP links. However, if any client who is not a member of the Active Directory forest attempts to validate such certificate, it will wait for 15 seconds while contacting domain controllers. LDAP URL is not (most likely) resolvable from Internet and even if it is resolvable, firewalls or DCs will refuse connection. Then, CCE will attempt second URL (which is HTTP in default installation) and which may succeed. However, depending on certificate chain length, validation procedure may take a while.
In addition, certificate validation procedure cannot continue indefinitely and there is a global timeout for certificate validation procedure. That is, certificate validation may fail because of this global timeout. As the result, you need to consider a highly-available HTTP URL (on load balancer) which is resolvable from inside and outside of network. If it is the case, then there is no need in a secondary LDAP URLs which will not work for Internet users.
