CRLs and AIAs - The Paths to Enlightenment

Tags: CA, PKI, Windows Server

Tuesday, May 29, 2012 3:49:00 PM

This past week I've been delving back into configuration of Certificate Authorities - and particularly into the most appropriate URLs for the CDP and AIA extensions in certificates.

In case you're not familiar with these abbreviations:

AIA - Authority Information Access. The URL(s) to a copy of the public certificate for the parent CA. Note that this definition explicitly precludes the root CA from having the AIA extension defined in the certificate.

CDP - CRL Distribution Point. The URL(s) to the CRL which should be retrieved by a client wishing to validate a certificate.

CRL - Certificate Revocation List. The file stored at the CDP describing the list of certificates which are no longer valid, and have been marked so explicitly (as opposed to simply expiring).

The Windows tools provide a number of variables which can be used to dynamically create paths and filenames for the AIA (certificate) and CDP (CRL). However, most engineers I've worked with don't know from the description what the variables even mean, so as much for my memory as for them, here's the list:

OverviewExamplesRecommendations

<CAName>

CAName is the "CN" portion of the CA's formal X.500 name, with the name encoded in URL syntax.

Valid for AIA
Valid for CDP

First Certificate
If the Certificate Authority is called "Company Root CA", then the value of the CAName variable is "Company%20Root%20CA".

Next Certificate (same key)
Same as the first certificate.

Next Certificate (new key)
Same as the first certificate.

Full CRL
Same as the first certificate.

Delta CRL
Same as the first certificate.

Mixed Recommendation

Use in AIA

Maybe. Not recommended for HTTP and File paths if the name contains anything other than the URL "Unreserved" characters (letters, numbers, and limited punctuation such as period (.), dash (-), underscore (_) and tilde (~)).
Use in CDP

Maybe. Not recommended for HTTP and File paths if the name contains anything other than the URL "Unreserved" characters (letters, numbers, and limited punctuation such as period (.), dash (-), underscore (_) and tilde (~)).

<CAObjectClass>

CAObjectClass is the LDAP object type and descriptive class name for certificate objects, used only in LDAP URLs as the final part of the URL so that the directory service creates the correct object type.

Valid for AIA
Valid for CDP

First Certificate
The invariant string "cACertificate?base?objectClass=certificationAuthority".

Next Certificate (same key)
Same as the first certificate

Next Certificate (new key)
Same as the first certificate

Full CRL(same key)
N/A - not available for Use in AIA

paths.

Delta CRL
N/A - not available for Use in AIA

paths.

Mixed Recommendation

Use in AIA

Maybe. Invalid for HTTP and File URLs, due to question marks. Valid for LDAP URLs but LDAP URLs may specify internal path names and locations, so may not resolve outside corporate network.
Use in CDP

No. Invalid for HTTP and File URLs, due to question marks, and specifies incorrect path and object type for LDAP URLs.

<CATruncatedName>

CATruncatedName is the "CN" portion of the CA's formal X.500 name, without special encoding.

Valid for AIA
Valid for CDP

First Certificate
If the Certificate Authority is called "Company Root CA", then the value of the CAName variable is "Company Root CA".

Next Certificate (same key)
Same as the first certificate

Next Certificate (new key)
Same as the first certificate

Full CRL(same key)
Same as the first certificate

Delta CRL
Same as the first certificate

Mixed Recommendation

Use in AIA

Maybe. Results may be inconsistent if used in HTTP and File URLs, due to spaces and various interpretations of encoding (e.g. whether it is required in the request, on disk etc). Valid for LDAP URLs.
Use in CDP

Maybe. Results may be inconsistent if used in HTTP and File URLs, due to spaces and various interpretations of encoding (e.g. whether it is required in the request, on disk etc). Valid for LDAP URLs.

<CDPObjectClass>

CDPObjectClass is the LDAP object type and descriptive class name for CRL objects, used only in LDAP URLs as the final part of the URL so that the directory creates the correct object type.

Valid for AIA
Valid for CDP

First Certificate
N/A - not available for Use in AIA

paths.

Next Certificate (same key)
N/A - not available for Use in AIA

paths.

Next Certificate (new key)
N/A - not available for Use in AIA

paths.

Full CRL(same key)
The invariant string, "certificateRevocationList?base?objectClass=cRLDistributionPoint".

Delta CRL
Same as the full CRL.

Mixed Recommendation

Use in AIA

No. Variable is not available for Use in AIA

paths.
Use in CDP

Maybe. Invalid for HTTP and File URLs, due to question marks. Valid for LDAP URLs but LDAP URLs may specify internal path names and locations, so may not resolve outside corporate network.

<CertificateName>

CertificateName is the identification number ("generational" ID) of the certificate, rounded down to the lowest numbered certificate sharing the same keypair. Review the table below for more information.

Valid for AIA
Valid for CDP

First Certificate
The value is blank (NULL). When added to the AIA path for the first certificate (generation #0) it will appear to do nothing.

Next Certificate (same key)
Same as the previous generation certificate. If the first generation certificate (#0) is renewed with the same key then like the first certificate, CertificateName will be blank. See also the next item.

Next Certificate (new key)
The certificate number, enclosed in a single pair of round brackets. If this is certificate #2, then CertificateName will be "(2)". If this certificate is then renewed with the same key (#3), the next certificate's CertificateName value will still be "(2)".

Full CRL(same key)
Same as the matching certificate. Note that due to the way CRLs are created, there will be multiple valid CRLs for different certificate generations (while the certificate remains valid).

Delta CRL
Same as the parent full CRL.

Generally Recommended

Use in AIA

Yes. CertificateName should ALWAYS be included in AIA paths (though technically nothing will break until you renew the root certificate with a new key).
Use in CDP

Maybe. It would be a definite yes were it not for the CRLNameSuffix variable, which is identical in practice. Use at least one of them (but you only need one).

<ConfigurationContainer>

ConfigurationContainer is the OU path to the Active Directory domain's Configuration partition.

Valid for AIA
Valid for CDP

First Certificate
If your Active Directory domain DNS name is "ad.mycompany.lan", the ConfigurationContainer value is "CN=Configuration,DC=ad,DC=mycompany,DC=lan".

Next Certificate (same key)
Same as the first certificate.

Next Certificate (new key)
Same as the first certificate.

Full CRL(same key)
Same as the first certificate.

Delta CRL
Same as the first certificate.

Mixed Recommendation

Use in AIA

Maybe. Valid for HTTP and File URLs but provides no useful information. Valid for LDAP URLs but LDAP URLs may specify internal path names and locations, so may not resolve outside corporate network.
Use in CDP

Maybe. Valid for HTTP and File URLs but provides no useful information. Valid for LDAP URLs but LDAP URLs may specify internal path names and locations, so may not resolve outside corporate network.

<CRLNameSuffix>

CRLNameSuffix is the identification number ("generational" ID) of the certificate that matches (signs) the CRL, rounded down to the lowest numbered certificate sharing the same keypair. Review the table below for more information.

Valid for AIA
Valid for CDP

First Certificate
N/A - not available for Use in AIA

paths.

Next Certificate (same key)
N/A - not available for Use in AIA

paths.

Next Certificate (new key)
N/A - not available for Use in AIA

paths.

Full CRL(same key)
Same as the matching certificate. You should review the rules for the CertificateName variable.

Delta CRL
Same as the parent CRL.

Required for CDP

Use in AIA

No. Variable is not available for Use in AIA

paths.
Use in CDP

Yes. Required to properly identify CRLs, if CertificateName is not present in the URL. See also the rules for CertificateName.

<DeltaCRLAllowed>

DeltaCRLAllowed is a tag that distinguishes a full CRL from a delta CRL.

Valid for AIA
Valid for CDP

First Certificate
N/A - not available for Use in AIA

paths.

Next Certificate (same key)
N/A - not available for Use in AIA

paths.

Next Certificate (new key)
N/A - not available for Use in AIA

paths.

Full CRL(same key)
The value is Empty (NULL). Full CRLs have no tag indicating they are a full CRL.

Delta CRL
A single plus sign "+".

Required for CDP

Use in AIA

No. Variable is not available for Use in AIA

paths.
Use in CDP

Yes. Required to properly identify CRLs, if Delta CRLs are in use.

<ServerDNSName>

ServerDNSName is the fully-qualified internal server name (the combination of NetBIOS computer name and primary DNS suffix) of the server.

Valid for AIA
Valid for CDP

First Certificate
If the computer name is "NetBIOS" and the Active Directory DNS domain name is "ad.mycompany.lan", then ServerDNSName is "NetBIOS.ad.mycompany.lan".

Next Certificate (same key)
Same as the first certificate.

Next Certificate (new key)
Same as the first certificate.

Full CRL(same key)
Same as the first certificate.

Delta CRL
Same as the first certificate.

Mixed Recommendation

Use in AIA

Maybe. Valid for all URLs but specifies internal names and locations, so may not resolve outside corporate network.
Use in CDP

Maybe. Valid for all URLs but specifies internal names and locations, so may not resolve outside corporate network.

<ServerShortName>

ServerShortName is the NetBIOS computer name of the server.

Valid for AIA
Valid for CDP

First Certificate
If the computer name is "NetBIOS" then ServerShortName is "NetBIOS".

Next Certificate (same key)
Same as the first certificate.

Next Certificate (new key)
Same as the first certificate.

Full CRL(same key)
Same as the first certificate.

Delta CRL
Same as the first certificate.

Mixed Recommendation

Use in AIA

Maybe. Valid for all URLs but specifies internal names and locations, so may not resolve outside corporate network.
Use in CDP

Maybe. Valid for all URLs but specifies internal names and locations, so may not resolve outside corporate network.

It's all too complex! I still don't get it! Can't you just tell me what I should use for each type of URL?

Well, not really. But the following are good starting points for you to consider. I can't tell you exactly what will, or will not work in your environment - at least, not without looking at your services and servers, and creating a design just for you. If you feel like you need that level of help, drop us a line and we'll see if we can work out an arrangement.

Purpose of URLExample
AIA - LDAP URL ldap:///CN=<CATruncatedName>,CN=AIA,CN=Public Key Services,CN=Services,<ConfigurationContainer><CAObjectClass>
AIA - HTTP URL http://pkiwebsite.company.com/DescriptiveName<CertificateName>.cer
AIA - FILE URL file://pkiwebserver/share$/DescriptiveName<CertificateName>.cer
CRL - LDAP URL ldap://CN=<CATruncatedName><CRLNameSuffix>,CN=<ServerShortName>CN=CDP,CN=Public Key Services,CN=Services,<ConfigurationContainer><CDPObjectClass>
CRL -HTTP URL http://pkiwebsite.company.com/DescriptiveName<CRLNameSuffix><DeltaCRLAllowed>.crl
CRL - FILE URL file://pkiwebserver/share$/DescriptiveName<CRLNameSuffix><DeltaCRLAllowed>.crl

No Comments