AD CS: Web server role should be installed if CRL distribution point extension URIs refer to the local web server

Applies To: Windows Server 2008 R2, Windows Server 2012

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Active Directory Certificate Services Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.

Operating System

Windows Server® 2008 R2 and Windows Server® 2012

Product/Feature

Active Directory Certificate Services

Severity

Warning

Category

Configuration

Issue

The certificate revocation list (CRL) distribution point extension on this certification authority (CA) refers to the local Web server; however, the Web Server role is not installed.

The CRL distribution point extension is defined during CA setup and includes a default HTTP URI that refers to the CA server. If the Web Server role is not installed on the CA server, then the default HTTP URI included in the extension is not valid.

Many applications require revocation status checking during certificate validation. The CRL is retrieved by the revocation provider, which reads the CRL distribution point extension of issued certificates to identify the network location of the CRL.

Impact

Clients may not be able to locate a CRL to check the revocation status of a certificate, and certificate validation may fail.

Certificate validation is critical to a correctly functioning public key infrastructure (PKI). If the URI included in the CRL distribution point extension is not valid, then clients may not be able to retrieve the CRL and certificate validation may fail.

Resolution

Use Server Manager to start or add the Web Server role service and add virtual directories to match the HTTP URI included in the CRL distribution point extension. Otherwise, remove the HTTP URI from the extension by using the Certification Authority snap-in.

It is important that the locations included in the CRL distribution point extension are valid and accessible by clients. Check the CA's extension configuration and ensure that all defined locations are valid, or remove the locations you do not intend to use for publishing the CRL.

The CRL distribution point extension is not required in certificates. However, it is a best practice to publish the CRL to one or more network locations and include the URIs in the CRL distribution point extensions of issued certificates. URIs using LDAP, HTTP, or UNC formats are supported, and a default location using each protocol is defined during CA setup. If you do not plan to publish the CRL to each of the defined locations, then you can safely remove the unused locations from the extension. However, it is recommended to publish the CRL to multiple network locations that use different network protocols.

Important

Do not remove the default local directory that references a local path on the CA's file system; for example, C:\Windows\System32\CertSrv\CertEnroll&lt;CaName><CRLNameSuffix><DeltaCRLAllowed>.crl. A local copy of the CRL is required for the CA to perform certificate validation. Locations with local paths cannot be included in the CRL distribution point extension of issued certificates. However, the default HTTP URI references a virtual directory that targets the default local directory.

To configure CRL distribution point extension

  1. On the CA, open the Certification Authority snap-in.

  2. Right-click the name of the CA, and click Properties to open the CA property sheet.

  3. Click the Extensions tab.

  4. In Select extension, select CRL distribution point to display the list of locations.

  5. To add a URI, click Add to open the Add Location dialog box.

  6. Type the URI in the Location box, and click OK.

  7. Click a location, and note the state of the Include in the CRL distribution point extension of issued certificates check box.

Note

Each location must be configured separately. First, select the location in the list. Then, select or clear the Include in the CRL distribution point extension of issued certificates check box. The state of the check box applies only to the location that is selected.

During CA setup a default HTTP location is defined with the URI https://<ServerDNSName>/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl. Using Server Manager to install the CA Web Enrollment role service also installs the Web Server role and creates the CertEnroll virtual directory described by the default URI. In many environments, installing the CA Web Enrollment role service on the CA is an appropriate configuration and it is the simplest resolution to implement.

Some organizations might choose not to install the Web Server role on the same server as the CA. Any valid URI can be added to the extension and the CRL can be published to a remote Web server. For more information about configuring CRL distribution point extensions, see Specify CRL distribution points. To review the procedures for creating virtual directories, see IIS 6.0 Web Site Setup and IIS 7.0: Create a Virtual Directory.

Additional references