Recommended Windows CA Publication URLs & Flags / Two-Tier Small-scale Internal CAs

  • Article

 Recommended Windows CA Publication URLs & Flags / Two-Tier Small-scale Internal CAs

The following is a set of recommended publication URLs & flags for a small-scale, two-tier CA for use in an internal network.

Offline Root / Policy



CDP (CA\CRLPublicationURLs) Flags

Enumeration

Value

Protocol

Direct Path

HTTP[AKA]

ldap:///[LDAP]

Publish CRLs to this location[OCPP]

CSURL_SERVERPUBLISH

1

 

Include in all CRLs. Specifies where to publish in the AD

CSURL_ADDTOCRLCDP

8

 

 

Include in CRLs [DRMC]

CSURL_ADDTOFRESHESTCRL

4

 

Include in the CDP extension of issued certificates.

CSURL_ADDTOCERTCDP

2

 

Publish Delta CRLs to this location. [DRMC]

CSURL_SERVERPUBLISHDELTA

64

 

Include in the IDP extension of issued CRLs

CSURL_ADDTOIDP

128

 

 

1

2

10

 

Offline Root / Policy



AIA (CA\CACertPublicationURLs) Flags

Enumeration

Value

Protocol

Direct Path

HTTP[AKA]

ldap:///[LDAP]

Deprecated and not selectable via the UI[ASPI]

CSURL_SERVERPUBLISH

1

 ●

 

 

Include in the AIA extension of issued certificates

CSURL_ADDTOCERTCDP

2

 

Include in the OCSP extension

CSURL_ADDTOCERTOCSP

32

 

 

 

1

2

2

 

Issuing



CDP (CA\CRLPublicationURLs) Flags

Enumeration

Value

Protocol (No Delta/With Delta)[DELT]

Direct Path

HTTP[AKA]

ldap:///[LDAP]

Publish CRLs to this location[OCPP]

CSURL_SERVERPUBLISH

1

 

Include in all CRLs. Specifies where to publish in the AD

CSURL_ADDTOCRLCDP

8

 

 

Include in CRLs [DRMC]

CSURL_ADDTOFRESHESTCRL

4

 

◦ or ●

Include in the CDP extension of issued certificates.

CSURL_ADDTOCERTCDP

2

 

Publish Delta CRLs to this location. [DRMC]

CSURL_SERVERPUBLISHDELTA

64

◦ or ●

 

◦ or ●

Include in the IDP extension of issued CRLs

CSURL_ADDTOIDP

128

 

 

1 or 65

2 or 6

11 or 79

 

Issuing



AIA (CA\CACertPublicationURLs) Flags

Enumeration

Value

Protocol

Direct Path

HTTP[AKA]

ldap:///[LDAP]

Deprecated and not selectable via the UI[ASPI]

CSURL_SERVERPUBLISH

1

 ●

 

 

Include in the AIA extension of issued certificates

CSURL_ADDTOCERTCDP

2

 

Include in the OCSP extension

CSURL_ADDTOCERTOCSP

32

 

 

 

1

2

2

 

[AKA]              Use an alias for HTTP repositories, such as pki.example.com. This allows the contents to be later moved without having to reconfigure the AIA and CDP extensions (from http://tinyurl.com/mc9ok49)

[ASPI]             For the AIA extension, the flag CSURL_SERVERPUBLISH is deprecated, and not selectable via the UI. However, make sure to keep it for the default location, which should not be removed (2003 PKI BP, p80)

[AXOR]           The CSURL_ADDTOCERTCDP and CSURL_ADDTOCERTOCSP flags are mutually exclusive. Select one or the other; not both. (http://tinyurl.com/q4emg3r)

[DELT]            For CAs of a certain scale, delta CRLs just add unnecessary overhead. Therefore, this table shows recommended settings for both

[DRMC]         Offline CAs don’t revoke many certificates (the issuers do). Therefore, a delta CRL isn’t needed—we don’t need one to publish to (CSURL_SERVERPUBLISHDELTA), nor do we need such a location to be in the certificates the CA issues (CSURL_ADDTOFRESHESTCRL).

[LDAP]           URLs with triple slashes are shorthand for localhost (RFC 1738). Consequently, the CA MMC will let you set CSURL_SERVERPUBLISH publication flags when it is a local LDAP server, but it will disable the ability to set this flag for remote LDAP servers.

[OCPP]           An offline CA can’t publish to a network location. This makes the flag CSURL_SERVERPUBLISH and CSURL_ADDTOCRLCDP seem incompatible, since for CSURL_ADDTOCRLCDP, we’re recommending here that this flag is enabled. The difference is that having this URL in the CRL means that when published via an online CA, the CRL will be put in this location. In other words, on the offline CA, one creates the CRL with the command “certutil –crl.” Then, that CRL is saved via “certutil –getcrl outfile”. The CRL can be moved to an online CA and then published with certutil –dsPublish outfile. Setting CSURL_ADDTOCRLCDP isn’t directly relevant for the offline CA. It’s relevant in that the root CA will decorate the CRLs with the URL so that online CAs will know where to publish it. (from http://tinyurl.com/lo5sdva, Community Additions)

 In addition, I made the following diagram to help me understand the relationships among the certification authority publication URLs, flags, which flags are used in which context, and when.

I hope others find it helpful.