CRLs and AIAs - The Paths to Enlightenment

This past week I've been delving back into configuration of Certificate Authorities - and particularly into the most appropriate URLs for the CDP and AIA extensions in certificates.

In case you're not familiar with these abbreviations:

AIA - Authority Information Access. The URL(s) to a copy of the public certificate for the parent CA. Note that this definition explicitly precludes the root CA from having the AIA extension defined in the certificate.

CDP - CRL Distribution Point. The URL(s) to the CRL which should be retrieved by a client wishing to validate a certificate.

CRL - Certificate Revocation List. The file stored at the CDP describing the list of certificates which are no longer valid, and have been marked so explicitly (as opposed to simply expiring).

The Windows tools provide a number of variables which can be used to dynamically create paths and filenames for the AIA (certificate) and CDP (CRL). However, most engineers I've worked with don't know from the description what the variables even mean, so as much for my memory as for them, here's the list:

Overview	Examples	Recommendations
CAName CAName is the "CN" portion of the CA's formal X.500 name, with the name encoded in URL syntax. Valid for AIA Valid for CDP	First Certificate If the Certificate Authority is called "Company Root CA", then the value of the CAName variable is "Company%20Root%20CA". Next Certificate (same key) Same as the first certificate. Next Certificate (new key) Same as the first certificate. Full CRL Same as the first certificate. Delta CRL Same as the first certificate.	Mixed Recommendation Use in AIA Maybe. Not recommended for HTTP and File paths if the name contains anything other than the URL "Unreserved" characters (letters, numbers, and limited punctuation such as period (.), dash (-), underscore (_) and tilde (~)). Use in CDP Maybe. Not recommended for HTTP and File paths if the name contains anything other than the URL "Unreserved" characters (letters, numbers, and limited punctuation such as period (.), dash (-), underscore (_) and tilde (~)).
CAObjectClass CAObjectClass is the LDAP object type and descriptive class name for certificate objects, used only in LDAP URLs as the final part of the URL so that the directory service creates the correct object type. Valid for AIA Valid for CDP	First Certificate The invariant string "cACertificate?base?objectClass=certificationAuthority". Next Certificate (same key) Same as the first certificate Next Certificate (new key) Same as the first certificate Full CRL(same key) N/A - not available for CRL paths. Delta CRL N/A - not available for CRL paths.	Mixed Recommendation Use in AIA Maybe. Invalid for HTTP and File URLs, due to question marks. Valid for LDAP URLs but LDAP URLs may specify internal path names and locations, so may not resolve outside corporate network. Use in CDP No. Invalid for HTTP and File URLs, due to question marks, and specifies incorrect path and object type for LDAP URLs.
CATruncatedName CATruncatedName is the "CN" portion of the CA's formal X.500 name, without special encoding. Valid for AIA Valid for CDP	First Certificate If the Certificate Authority is called "Company Root CA", then the value of the CAName variable is "Company Root CA". Next Certificate (same key) Same as the first certificate Next Certificate (new key) Same as the first certificate Full CRL(same key) Same as the first certificate Delta CRL Same as the first certificate	Mixed Recommendation Use in AIA Maybe. Results may be inconsistent if used in HTTP and File URLs, due to spaces and various interpretations of encoding (e.g. whether it is required in the request, on disk etc). Valid for LDAP URLs. Use in CDP Maybe. Results may be inconsistent if used in HTTP and File URLs, due to spaces and various interpretations of encoding (e.g. whether it is required in the request, on disk etc). Valid for LDAP URLs.
CDPObjectClass CDPObjectClass is the LDAP object type and descriptive class name for CRL objects, used only in LDAP URLs as the final part of the URL so that the directory creates the correct object type. Valid for AIA Valid for CDP	First Certificate N/A - not available for AIA paths. Next Certificate (same key) N/A - not available for AIA paths. Next Certificate (new key) N/A - not available for AIA paths. Full CRL(same key) The invariant string, "certificateRevocationList?base?objectClass=cRLDistributionPoint". Delta CRL Same as the full CRL.	Mixed Recommendation Use in AIA No. Variable is not available for use in AIApaths. Use in CDP Maybe. Invalid for HTTP and File URLs, due to question marks. Valid for LDAP URLs but LDAP URLs may specify internal path names and locations, so may not resolve outside corporate network.
CertificateName CertificateName is the identification number ("generational" ID) of the certificate, rounded down to the lowest numbered certificate sharing the same keypair. Review the table below for more information. Valid for AIA Valid for CDP	First Certificate The value is blank (NULL). When added to the AIA path for the first certificate (generation #0) it will appear to do nothing. Next Certificate (same key) Same as the previous generation certificate. If the first generation certificate (#0) is renewed with the same key then like the first certificate, CertificateName will be blank. See also the next item. Next Certificate (new key) The certificate number, enclosed in a single pair of round brackets. If this is certificate #2, then CertificateName will be "(2)". If this certificate is then renewed with the same key (#3), the next certificate's CertificateName value will still be "(2)". Full CRL(same key) Same as the matching certificate. Note that due to the way CRLs are created, there will be multiple valid CRLs for different certificate generations (while the certificate remains valid). Delta CRL Same as the parent full CRL.	Generally Recommended Use in AIA Yes. CertificateName should ALWAYS be included in AIA paths (though technically nothing will break until you renew the root certificate with a new key). Use in CDP Maybe. It would be a definite yes were it not for the CRLNameSuffix variable, which is identical in practice. Use at least one of them (but you only need one).
ConfigurationContainer ConfigurationContainer is the OU path to the Active Directory domain's Configuration partition. Valid for AIA Valid for CDP	First Certificate If your Active Directory domain DNS name is "ad.mycompany.lan", the ConfigurationContainer value is "CN=Configuration,DC=ad,DC=mycompany,DC=lan". Next Certificate (same key) Same as the first certificate. Next Certificate (new key) Same as the first certificate. Full CRL(same key) Same as the first certificate. Delta CRL Same as the first certificate.	Mixed Recommendation Use in AIA Maybe. Valid for HTTP and File URLs but provides no useful information. Valid for LDAP URLs but LDAP URLs may specify internal path names and locations, so may not resolve outside corporate network. Use in CDP Maybe. Valid for HTTP and File URLs but provides no useful information. Valid for LDAP URLs but LDAP URLs may specify internal path names and locations, so may not resolve outside corporate network.
CRLNameSuffix CRLNameSuffix is the identification number ("generational" ID) of the certificate that matches (signs) the CRL, rounded down to the lowest numbered certificate sharing the same keypair. Review the table below for more information. Valid for AIA Valid for CDP	First Certificate N/A - not available for AIA paths. Next Certificate (same key) N/A - not available for AIA paths. Next Certificate (new key) N/A - not available for AIA paths. Full CRL(same key) Same as the matching certificate. You should review the rules for the CertificateName variable. Delta CRL Same as the parent CRL.	Required for CDP Use in AIA No. Variable is not available for Use in AIA paths. Use in CDP Yes. Required to properly identify CRLs, if CertificateName is not present in the URL. See also the rules for CertificateName.
DeltaCRLAllowed DeltaCRLAllowed is a tag that distinguishes a full CRL from a delta CRL. Valid for AIA Valid for CDP	First Certificate N/A - not available for AIA paths. Next Certificate (same key) N/A - not available for AIA paths. Next Certificate (new key) N/A - not available for AIA paths. Full CRL(same key) The value is Empty (NULL). Full CRLs have no tag indicating they are a full CRL. Delta CRL A single plus sign "+".	Required for CDP Use in AIA No. Variable is not available for Use in AIA paths. Use in CDP Yes. Required to properly identify CRLs, if Delta CRLs are in use.
ServerDNSName ServerDNSName is the fully-qualified internal server name (the combination of NetBIOS computer name and primary DNS suffix) of the server. Valid for AIA Valid for CDP	First Certificate If the computer name is "NetBIOS" and the Active Directory DNS domain name is "ad.mycompany.lan", then ServerDNSName is "NetBIOS.ad.mycompany.lan". Next Certificate (same key) Same as the first certificate. Next Certificate (new key) Same as the first certificate. Full CRL(same key) Same as the first certificate. Delta CRL Same as the first certificate.	Mixed Recommendation Use in AIA Maybe. Valid for all URLs but specifies internal names and locations, so may not resolve outside corporate network. Use in CDP Maybe. Valid for all URLs but specifies internal names and locations, so may not resolve outside corporate network.
ServerShortName ServerShortName is the NetBIOS computer name of the server. Valid for AIA Valid for CDP	First Certificate If the computer name is "NetBIOS" then ServerShortName is "NetBIOS". Next Certificate (same key) Same as the first certificate. Next Certificate (new key) Same as the first certificate. Full CRL(same key) Same as the first certificate. Delta CRL Same as the first certificate.	Mixed Recommendation Use in AIA Maybe. Valid for all URLs but specifies internal names and locations, so may not resolve outside corporate network. Use in CDP Maybe. Valid for all URLs but specifies internal names and locations, so may not resolve outside corporate network.

CAName
CAName is the "CN" portion of the CA's formal X.500 name, with the name encoded in URL syntax.

Valid for AIA

Valid for CDP

First Certificate
If the Certificate Authority is called "Company Root CA", then the value of the CAName variable is "Company%20Root%20CA".

Next Certificate (same key)
Same as the first certificate.

Next Certificate (new key)
Same as the first certificate.

Full CRL
Same as the first certificate.

Delta CRL
Same as the first certificate.

Mixed Recommendation

Use in AIA
Maybe. Not recommended for HTTP and File paths if the name contains anything other than the URL "Unreserved" characters (letters, numbers, and limited punctuation such as period (.), dash (-), underscore (_) and tilde (~)).

Use in CDP
Maybe. Not recommended for HTTP and File paths if the name contains anything other than the URL "Unreserved" characters (letters, numbers, and limited punctuation such as period (.), dash (-), underscore (_) and tilde (~)).

CAObjectClass
CAObjectClass is the LDAP object type and descriptive class name for certificate objects, used only in LDAP URLs as the final part of the URL so that the directory service creates the correct object type.

Valid for AIA

Valid for CDP

First Certificate
The invariant string "cACertificate?base?objectClass=certificationAuthority".

Next Certificate (same key)
Same as the first certificate

Next Certificate (new key)
Same as the first certificate

Full CRL(same key)
N/A - not available for CRL paths.

Delta CRL
N/A - not available for CRL paths.

Mixed Recommendation

Use in AIA
Maybe. Invalid for HTTP and File URLs, due to question marks. Valid for LDAP URLs but LDAP URLs may specify internal path names and locations, so may not resolve outside corporate network.

Use in CDP
No. Invalid for HTTP and File URLs, due to question marks, and specifies incorrect path and object type for LDAP URLs.

CATruncatedName
CATruncatedName is the "CN" portion of the CA's formal X.500 name, without special encoding.

Valid for AIA

Valid for CDP

First Certificate
If the Certificate Authority is called "Company Root CA", then the value of the CAName variable is "Company Root CA".

Next Certificate (same key)
Same as the first certificate

Next Certificate (new key)
Same as the first certificate

Full CRL(same key)
Same as the first certificate

Delta CRL
Same as the first certificate

Mixed Recommendation

Use in AIA
Maybe. Results may be inconsistent if used in HTTP and File URLs, due to spaces and various interpretations of encoding (e.g. whether it is required in the request, on disk etc). Valid for LDAP URLs.

Use in CDP
Maybe. Results may be inconsistent if used in HTTP and File URLs, due to spaces and various interpretations of encoding (e.g. whether it is required in the request, on disk etc). Valid for LDAP URLs.

CDPObjectClass
CDPObjectClass is the LDAP object type and descriptive class name for CRL objects, used only in LDAP URLs as the final part of the URL so that the directory creates the correct object type.

Valid for AIA

Valid for CDP

First Certificate
N/A - not available for AIA paths.

Next Certificate (same key)
N/A - not available for AIA paths.

Next Certificate (new key)
N/A - not available for AIA paths.

Full CRL(same key)
The invariant string, "certificateRevocationList?base?objectClass=cRLDistributionPoint".

Delta CRL
Same as the full CRL.

Mixed Recommendation

Use in AIA
No. Variable is not available for use in AIApaths.

Use in CDP
Maybe. Invalid for HTTP and File URLs, due to question marks. Valid for LDAP URLs but LDAP URLs may specify internal path names and locations, so may not resolve outside corporate network.

CertificateName
CertificateName is the identification number ("generational" ID) of the certificate, rounded down to the lowest numbered certificate sharing the same keypair. Review the table below for more information.

Valid for AIA

Valid for CDP

First Certificate
The value is blank (NULL). When added to the AIA path for the first certificate (generation #0) it will appear to do nothing.

Next Certificate (same key)
Same as the previous generation certificate. If the first generation certificate (#0) is renewed with the same key then like the first certificate, CertificateName will be blank. See also the next item.

Next Certificate (new key)
The certificate number, enclosed in a single pair of round brackets. If this is certificate #2, then CertificateName will be "(2)". If this certificate is then renewed with the same key (#3), the next certificate's CertificateName value will still be "(2)".

Full CRL(same key)
Same as the matching certificate. Note that due to the way CRLs are created, there will be multiple valid CRLs for different certificate generations (while the certificate remains valid).

Delta CRL
Same as the parent full CRL.

Generally Recommended

Use in AIA
Yes. CertificateName should ALWAYS be included in AIA paths (though technically nothing will break until you renew the root certificate with a new key).

Use in CDP
Maybe. It would be a definite yes were it not for the CRLNameSuffix variable, which is identical in practice. Use at least one of them (but you only need one).

ConfigurationContainer
ConfigurationContainer is the OU path to the Active Directory domain's Configuration partition.

Valid for AIA

Valid for CDP

First Certificate
If your Active Directory domain DNS name is "ad.mycompany.lan", the ConfigurationContainer value is "CN=Configuration,DC=ad,DC=mycompany,DC=lan".

Next Certificate (same key)
Same as the first certificate.

Next Certificate (new key)
Same as the first certificate.

Full CRL(same key)
Same as the first certificate.

Delta CRL
Same as the first certificate.

Mixed Recommendation

Use in AIA
Maybe. Valid for HTTP and File URLs but provides no useful information. Valid for LDAP URLs but LDAP URLs may specify internal path names and locations, so may not resolve outside corporate network.

Use in CDP
Maybe. Valid for HTTP and File URLs but provides no useful information. Valid for LDAP URLs but LDAP URLs may specify internal path names and locations, so may not resolve outside corporate network.

CRLNameSuffix
CRLNameSuffix is the identification number ("generational" ID) of the certificate that matches (signs) the CRL, rounded down to the lowest numbered certificate sharing the same keypair. Review the table below for more information.

Valid for AIA

Valid for CDP

First Certificate
N/A - not available for AIA paths.

Next Certificate (same key)
N/A - not available for AIA paths.

Next Certificate (new key)
N/A - not available for AIA paths.

Full CRL(same key)
Same as the matching certificate. You should review the rules for the CertificateName variable.

Delta CRL
Same as the parent CRL.

Required for CDP

Use in AIA
No. Variable is not available for Use in AIA
paths.

Use in CDP
Yes. Required to properly identify CRLs, if CertificateName is not present in the URL. See also the rules for CertificateName.

DeltaCRLAllowed
DeltaCRLAllowed is a tag that distinguishes a full CRL from a delta CRL.

Valid for AIA

Valid for CDP

First Certificate
N/A - not available for AIA paths.

Next Certificate (same key)
N/A - not available for AIA paths.

Next Certificate (new key)
N/A - not available for AIA paths.

Full CRL(same key)
The value is Empty (NULL). Full CRLs have no tag indicating they are a full CRL.

Delta CRL
A single plus sign "+".

Required for CDP

Use in AIA
No. Variable is not available for Use in AIA
paths.

Use in CDP
Yes. Required to properly identify CRLs, if Delta CRLs are in use.

ServerDNSName
ServerDNSName is the fully-qualified internal server name (the combination of NetBIOS computer name and primary DNS suffix) of the server.

Valid for AIA

Valid for CDP

First Certificate
If the computer name is "NetBIOS" and the Active Directory DNS domain name is "ad.mycompany.lan", then ServerDNSName is "NetBIOS.ad.mycompany.lan".

Next Certificate (same key)
Same as the first certificate.

Next Certificate (new key)
Same as the first certificate.

Full CRL(same key)
Same as the first certificate.

Delta CRL
Same as the first certificate.

Mixed Recommendation

Use in AIA
Maybe. Valid for all URLs but specifies internal names and locations, so may not resolve outside corporate network.

Use in CDP
Maybe. Valid for all URLs but specifies internal names and locations, so may not resolve outside corporate network.

ServerShortName
ServerShortName is the NetBIOS computer name of the server.

Valid for AIA

Valid for CDP

First Certificate
If the computer name is "NetBIOS" then ServerShortName is "NetBIOS".

Next Certificate (same key)
Same as the first certificate.

Next Certificate (new key)
Same as the first certificate.

Full CRL(same key)
Same as the first certificate.

Delta CRL
Same as the first certificate.

Mixed Recommendation

Use in AIA
Maybe. Valid for all URLs but specifies internal names and locations, so may not resolve outside corporate network.

Use in CDP
Maybe. Valid for all URLs but specifies internal names and locations, so may not resolve outside corporate network.

It's all too complex! I still don't get it! Can't you just tell me what I should use for each type of URL?

Well, not really. But the following are good starting points for you to consider. I can't tell you exactly what will, or will not work in your environment - at least, not without looking at your services and servers, and creating a design just for you. If you feel like you need that level of help, drop us a line and we'll see if we can work out an arrangement.

Purpose of URL	Example
AIA - LDAP URL	ldap:///CN=<CATruncatedName>,CN=AIA,CN=Public Key Services,CN=Services,<ConfigurationContainer><CAObjectClass>
AIA - HTTP URL	http://pkiwebsite.company.com/DescriptiveName<CertificateName>.cer
AIA - FILE URL	file://pkiwebserver/share$/DescriptiveName<CertificateName>.cer
CRL - LDAP URL	ldap://CN=<CATruncatedName><CRLNameSuffix>,CN=<ServerShortName>,CN=CDP,CN=Public Key Services,CN=Services,<ConfigurationContainer><CDPObjectClass>
CRL - HTTP URL	http://pkiwebsite.company.com/DescriptiveName<CRLNameSuffix><DeltaCRLAllowed>.crl
CRL - FILE URL	file://pkiwebserver/share$/DescriptiveName<CRLNameSuffix><DeltaCRLAllowed>.crl