Removing LDAP from CDP & AIA in a Microsoft PKI

windows certificate-authority ad-certificate-services pki
5,158

It is recommended to NOT HAVE LDAP URLs in the CDP/AIA extensions. Instead it is recommended to have one internally and externally accessible and high-available HTTP location.

Edit 31.10.2015:

Official Microsoft recommendation is written in Certificate Revocation Checking in Windows Vista and Windows Server 2008 whitepaper (p.27):

Use HTTP

Although AD DS enables publication of CRLs to all domain controllers in the forest, we recommend implementing HTTP instead of LDAP for revocation information publication. Only HTTP enables the use of the ETag and Cache-Control: Max-age headers providing better support for proxies and more timely revocation information. In addition, HTTP provides better heterogeneous support as HTTP is supported by most Linux, UNIX, and network device clients.

and below:

Limit the Number of URLs

Instead of creating long listings of URLs for OCSP and CRL retrieval, consider limiting the lists to a single OCSP and a single CRL URL. Instead of providing multiple sites, work on ensuring that the sites referenced in the URLs are highly available and can handle the expected bandwidth requirements.

Besides cited above, I would add a brief explanation. When certificate chaining engine (CCE) uses CDP/AIA extension to download requested object (doesn't matter, certificate or CRL, or whatever else), CCE attempts URLs in the order as they listed in the extension. If the first URL fails, a second URL (if presented) will be attempted and so on. Microsoft CryptoAPI uses 15 second timeout for the first URL and twice shorter than previous for subsequent URLs (i.e. 7,5 seconds for second URL and so on).

When certificate is used in the Active Directory domain environment, there are no problems with LDAP links. However, if any client who is not a member of the Active Directory forest attempts to validate such certificate, it will wait for 15 seconds while contacting domain controllers. LDAP URL is not (most likely) resolvable from Internet and even if it is resolvable, firewalls or DCs will refuse connection. Then, CCE will attempt second URL (which is HTTP in default installation) and which may succeed. However, depending on certificate chain length, validation procedure may take a while.

In addition, certificate validation procedure cannot continue indefinitely and there is a global timeout for certificate validation procedure. That is, certificate validation may fail because of this global timeout. As the result, you need to consider a highly-available HTTP URL (on load balancer) which is resolvable from inside and outside of network. If it is the case, then there is no need in a secondary LDAP URLs which will not work for Internet users.

Share:
5,158

Related videos on Youtube

medos
Author by

medos

Independent Senior Systems Engineer

Updated on September 18, 2022

Comments

  • medos
    medos almost 2 years

    A default installation of a Microsoft PKI running Windows 2012 R2 includes LDAP URL's within CRL distribution points (CDP's) and Authority Information Access (AIA).

    I want to issue certificates outside of my organization but I don't want an internal LDAP address being included with my certificates. Is there any reason to think that removing LDAP addresses from my extensions would cause harm now or in the future?

  • medos
    medos over 8 years
    Any source for this (I believe you - I just want to be able to back my decision)
  • Crypt32
    Crypt32 over 8 years
    see edited response.
  • Greg Askew
    Greg Askew over 8 years
    What impact would this have for CRL checking for pre-existing certificates that only have the non-HTTP CRL?
  • Crypt32
    Crypt32 over 8 years
    you will have to: support object publication to LDAP (only object publication, the URL is not going to newly issued certificates) or reissue currently active certificates after changing CDP/AIA settings.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Group security permissions for certificate template not working
Adding new root/enterprise CA without disturbing existing one?
ADCS - How can I diagnose the exact reason a certificate request was denied by a policy module?
How can I get SBS2011 to issue certificates?
How to debug missing enterprise root ca certificate?
Domain Controller promotion and certificate autoenrollment
How to autoenroll certificates from a Certification Authority in a trusted domain?
Microsoft Standalone CA - Set expiration date of an individual request
Cross Forest Certificate Authority
ERR_CERT_COMMON_NAME_INVALID with internal AD CA wildcard