Publishing Authority Information Access and CRL Distribution Point Extensions

In this exercise, you will evaluate a network infrastructure and the needs of clients. You will then configure your CA to publish authority information access and CRL distribution point extensions.


Ensure the 2823_DC1, 2823_Web1 and 2823_Client1 virtual machines are started.

Perform tasks from the 2823_Client1 virtual machine as the user Don Hall unless otherwise directed. Don Hall's username is [email protected] and his password is [email protected] Don Hall does not have any administrative rights. Perform all administrative tasks by using the RUNAS command or the secondary logon service. When performing administrative tasks, use the username [email protected] and the password [email protected]


Coho Vineyard has deployed an enterprise root CA. You will be using this CA to issue certificates to users outside your company. These users must be able to download the current CRL and CA certificate from your public Web site. This location must be included in all issued certificates. You will configure the AIA and Certificate Data Processing (CDP) certificate extensions to include the new path. You will then request a test certificate and ensure that the extensions are configured correctly.

Your public Web site address is


Detailed steps

1. Add an AIA and CRL distribution point to your existing CA that allows you to place the current CRL and root certificate on your public Web site.

a. Open Public Key Management.

b. Connect to the CA on 2823 DC1. The computer name of 2823 DC1 is

c. Add a new CRL distribution point to CohoVineyardRootCA. The path for the new CDP is <CaName><CRLNameSufjix><DeltaCRLAllowed>.cr\.

d. Configure the new CDP with the following parameters:

• Include in the CDP extension e. Add a new AIA distribution point. The path for the new AIA is<ServerDNSName><CaName> <CertificateName>.crt.

f. Configure the new AIA as follows:

• Include in the AIA extension of issued certificates g. When prompted, restart Certificate Services.

h. Close all administrative tools.

2. Create a directory on your public Web site to host the CRL and root certificate.

■ Create a new folder named PKI in the C:\inetpub\wwwroot folder on the 2823 Webl virtual machine.



Detailed steps

3. Publish the CRL and root certificate on the public Web site.

■ Copy the contents of the \\dc1\certenroll folder to the

C:\inetpub\wwwroot\pki folder on the 2823 Web1 virtual machine.

4. Enroll for a certificate and verify that the AIA and CDP extensions are configured correctly.

a. On the 2823_Client1 virtual machine, click Start, click Run, type certmgr.msc and then press Enter.

b. In the Certificates window, click Personal, and on the Action menu point to All Tasks and then click Request New Certificate.

c. In the Certificate Request Wizard, click Next. Complete the Certificate Request Wizard using the following information. Leave all values that are not listed at the default value.

• Certificate Types: User

• Friendly Name: DonHall d. In the Certificates window, expand Personal and then click Certificates.

e. In the Certificates window, in the contents pane, double-click Don Hall.

f. In the Certificate dialog box, click the Details tab.

g. Scroll down and examine the contents of the CRL Distribution Points and Authority Information Access fields, and verify that the new path is included.

h. Click OK to close the Certificate dialog box.

i. Click Close to close the Certificates window.

5. Complete the lab exercise.

a. Close all programs and log off from all virtual machines.

b. Close all virtual machines. Do not save changes.

c. To prepare for the next module, start the 2823 DC1 and 2823 Client1 virtual machines.

Was this article helpful?

0 0
Outsource Explosion

Outsource Explosion

There will come a day in your business (if it hasn't already arrived) when you realise that you only have two hands and 24 hours in a day. What I mean is you can't do everything that your business needs yourself. If you try to do everything yourself your business will at best grind to a halt, and at worst, GO UNDER. Take a look RIGHT NOW at the successful marketers around you - the millionaires, the gurus and the market leaders.

Get My Free Ebook


    When should you use both aia and cdp extensions?
    7 years ago
  • Arsi Kasslin
    How to updating crl distribution point and authority information access extensions?
    1 year ago

Post a comment