Sunday, April 22, 2012

AD CS: Authority information access locations

This is article is applicable to Windows Server 2008 R2. This article will be very helpful in order to address a specific issue identified by a Best Practices Analyzer scan. The main thing to remember is that you can use this procedure only on the computers that have the Active Directory Certificate Services Best Practices Analyzer run against them and are experiencing the issue addressed by this topic.



















Operating SystemWindows Server 2008 R2
Product/FeatureActive Directory Certificate Services
SeverityWarning
CategoryConfiguration

Issue
The other thing to remember is that the Certification Authority isn’t configured to comprise the authority information access locations in the extension of issued certificates. Moreover, the authority information access extension provides the network location of the issuing CA’s certificate.

Impact
Clients may not be able to locate the issuing CA's certificate to build a certificate chain, and certificate validation may fail.


Certificate validation is critical to a correctly functioning public key infrastructure (PKI). For a valid certificate, a certification path that leads to a trusted root certificate is required. In order to build a certification path, the issuing CA’s certificate is retrieved by CryptoAPI, which reads the authority information access extension of issued certificates to identify the network location of the CA's certificate. Remember that if the extension doesn’t include the location of the CA certificate, the certificate validation can’t be completed. Moreover, the applications that require the certificate may fail.
Resolution
You can use the Certification Authority snap-in to configure the authority information access extension and specify the network location of the issuing CA’s certificate. During the CA installation, the default locations of the CA certificate will be added to the authority information access extension settings. Moreover, the CA is configured to include the default locations in the extensions of all issued certificates. You can use the following procedure to add the valid locations and configure them to be included in issued certificates when the default locations aren’t present or valid.
How to configure authority information access extension settings?
1.    Open the Certification Authority snap-in.
2.    First, it is required to open the Certification Authority snap-in.
3.    Then, it is required to right click the CA and then select Properties.
4.    After that, click the Extension tab.
5.    Now, in the Select Extension tab, select Authority Information Access.
6.    If you find that the Specify locations list doesn’t include a valid location for the CA certificate, click Add to open the Add Location dialog box.
7.    After that, type a valid location and click OK.
8.    Repeat the same for multiple locations.
9.    Then, in the Specify Locations list, it is required to click a location and then select the Include in the Authority Information Access Extension of Issued Certificates check box.
10.    Now, click OK to save changes.
11.    The Active Directory Certificate Services must be restarted for the changes to take the effect.

B  y
,