AD CS: CRL distribution point locations should be included in the extensions of issued certificates

Applies To: Windows Server 2008 R2, Windows Server 2012

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Active Directory Certificate Services Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.

Operating System	Windows Server® 2008 R2 and Windows Server® 2012
Product/Feature	Active Directory Certificate Services
Severity	Warning
Category	Configuration

Issue

This certification authority (CA) is not configured to include certificate revocation list (CRL) distribution point locations in the extensions of issued certificates. The CRL distribution point extension provides the network location of the CRL.

Impact

Clients may not be able to locate a CRL to check the revocation status of a certificate, and certificate validation may fail.

Certificate validation is critical to a correctly functioning public key infrastructure (PKI). Many applications require revocation status checking during certificate validation. The CRL is retrieved by the revocation provider, which reads the CRL distribution point extension of issued certificates to identify the network location of the CRL. If the extension does not include the location of the CRL, then certificate validation cannot be completed and might cause application failure.

Resolution

Use the Certification Authority snap-in to configure the CRL distribution point extension and specify the network location of the CRL.

The default locations of the CRL are added to the CRL distribution point extension settings during CA installation, and the CA is configured to include the default locations in the extensions of all issued certificates. If the default locations are not present or are not valid, use the following procedure to add valid locations and configure them to be included in issued certificates.

To configure CRL distribution point extension settings

1. On the CA, open the Certification Authority snap-in.

2. In the console tree, right-click the CA, and then click Properties.

3. Click the Extensions tab.

4. In Select extension, click CRL Distribution Point.

5. If the Specify locations list does not include a valid location for the CRL, click Add to open the Add Location dialog box, and type a valid location. Click OK to save the location. Repeat to add multiple locations.

6. In the Specify locations list, click a location, and then select the Include in the CRL distribution point extension of issued certificates check box.

7. Click OK to save changes. Active Directory Certificate Services must be restarted for the change to take effect.

Important

You should verify the specified location before issuing certificates that include it.

Additional references

• For more details about configuring extensions, see Specify CRL Distribution Points.

• Premier Support customers can use an intensive PKI Health Check to review this issue in addition to a thorough evaluation of other issues. For more information, see Public Key Infrastructure Server Health Check Datasheet.