Time by time I read questions about CDP and AIA extensions on Root CA and in Root CA certificate.
Check these articles for better understanding of certificate chaining engine:
Let's see how these are used by certificate chaining engine (CCE). At first application must build a certificate chain. When CCE is processing a certificate it uses AIA extension to retrieve certificate issuer's certificate. Once it is retrieved, CCE set issuer's certificate as current and checks for *current* certificate issuer's certificate. This is normal and expected behavior for non-self-signed certificates. Once a certificate is presented in the self-signed form, there is no issuer. Certificate is issued to itself. As the result if AIA extension exist in the self-signed certificate it will point to itself and will cause loops. To address this issue, it is recommended to *NOT INCLUDE* AIA extension in the self-signed certificate (also referred to Root certificate).
Once certificate chain is built CCE will check each certificate in the chain for revocation. For this it uses CDP extension. Again, CCE will retrieve URL to a CRL of the issuer of the certificate which is being verified. When certificate status is determined (and possible is not revoked) CCE set issuer's certificate as current and retrieves CRL of the *current* certificate issuer. This process continues until it reaches a certificate provided in a self-signed form. Since there is no issuer (certificate is issued to itself), it is not possible to revoke itself (at least in Windows PKI). As the result it is recommended to *NOT INCLUDE* CDP extension in the self-signed certificate (also referred to Root certificate).
The biggest problem here is that many IT admins assumes that CDP and AIA extensions MUST NOT be configured on Root CA servers. This is INCORRECT. When you configure CDP and AIA extensions on CA server (by using Certification Authority MMC snap-in or certutil.exe utility) they affect only to *issued* by this CA certificates (SubCAs or other entity's certificates), but not CA certificate itself. Also many applications are configured to not check Root CA certificate for revocation even if it contains CDP extension.
To avoid mentioned extensions appearance in Root CA certificate you MUST create or edit existing CAPolicy.inf file that MUST have exact name and placed to %windir% directory on CA server *prior* to Root CA service installation. It is not possible to modify Root CA certificate after CA service installation. The following syntax can be used:
[Version] Signature = "$Windows NT$" [AuthorityInformationAccess] Empty = true [CRLDistributionPoint] Empty = true
This configuration is necessary for CA servers based on Windows 2000 and Windows Server 2003. Windows Server 2008 and newer operating systems do not include these extensions in Root CA certificates by default.
Once Root CA is installed you should perform AIA and CDP extension modification to fit your organization and/or network/AD topology requirements. URLs from these configurations will be included in all issued certificates and can be used by applications to built correct chains to this Root CA and perform revocation checking against certificates are issued by this CA.
Post your comment: