Contact Us

Best Practices Rules And Baselines For Windows Server 2012 AD Certificate Authority

Jan 28, 2021 | Blog | 0 comments

Photo of an informal meeting of two women

By Jack Chen, Taos Senior Technical Consultant

Authority information access (AIA) locations must be included in the extensions of issued certificates

Issue: This certification authority (CA) is not configured to include authority information access locations in the extensions of issued certificates. The authority information access extension provides the network location of the issuing CA’s certificate.

Impact: Clients may not be able to locate the issuing CA’s certificate to build a certificate chain, and certificate validation may fail. Certificate validation is critical to a correctly functioning PKI. A certification path that leads to a trusted root certificate is a requirement for a valid certificate. To build a certification path, the issuing CA’s certificate is retrieved by CryptoAPI, which reads the authority information access extension of issued certificates to identify the network location of the CA’s certificate. If the extension does not include the location of the CA certificate, then certificate validation cannot be completed and applications that require the certificate might fail.

Resolution: Use the Certification Authority snap-in to configure the authority information access extension and specify the network location of the issuing CA’s certificate.

AIA locations should include the certificate name suffix

Issue: The location of the certification authority (CA) certificate specified in the authority information access extension is not configured to include the certificate name suffix. The CA certificate is required by applications to validate certificates presented to them by computers and users. A digital certificate that supports the X.509 version 3 format can include an authority information access extension to specify the Uniform Resource Identifier (URI) of the issuing CA certificate. The URI is used by applications during certificate validation to retrieve the CA certificate. The certificate name suffix is one of several substitution variables used by a CA to represent components of URIs, such as host and file names. The variables are translated by the CA during certificate issuance to ensure the URIs added to certificate extensions reflect correct locations of the CA certificate. The certificate name suffix represents the CA certificate index value that is incremented each time the CA certificate is renewed. Because the new and expired certificates are published to the same location, the value of the certificate index is appended to a certificate’s file name to create a unique URI. When the certificate name suffix variable is used, the URIs added to certificate extensions immediately reflect the location of the new CA certificate.

The URIs of CA certificates should not be changed after they are published because issued certificates referencing the URIs can be valid beyond the expiration date of the CA certificate.

Impact: Clients may not be able to locate the correct version of the issuing CA’s certificate to build a certificate chain, and certificate validation may fail. If substitution variables are not used, the extension settings must be manually updated when the CA certificate is renewed. Manual configuration increases administration costs and presents a potential for error and delay between certificate renewal and CA configuration. Certificates issued with inaccurate CA certificate locations cannot be validated, which might cause application failure.

Resolution: Use the Certification Authority snap-in to configure the authority information access extension to include the certificate name suffix in each location.

CA database and log files should not be stored on the system drive

Database and log files can grow very large and can possibly consume all available disk space. If these files are located on the system drive, then this can cause the operating system to fail.
D:\CertLog
    \DBDirectory
    \DBLogDirectory
    \DBSystemDirectory
    \DBTempDirectory

Computer auto-enrollment should be enabled when an enterprise CA is installed

Issue: An enterprise CA provides autoenrollment features that enable certificates to be issued without user interaction. The autoenrollment operations on client computers and CAs are controlled by Group Policy settings and certificate template settings.

Impact: An enterprise CA can use autoenrollment to simplify certificate issuance and renewal. If certificates are not issued or renewed, applications and services that require certificates might fail and new domain users and computers might be unable to access domain resources.

Resolution: Use the Group Policy Management Console to automatically enroll client computers for certificates in a domain environment, you must:
• Configure an autoenrollment policy for the domain.
• Configure certificate templates for autoenrollment.
• Configure an enterprise CA.

To configure autoenrollment Group Policy for a domain

  1. On a domain controller, open the Group Policy Management console.
  2. In the console tree, double-click Group Policy Objects in the forest and domain containing the Default Domain. Policy Group Policy object (GPO) that you want to edit.
  3. Right-click the Default Domain Policy GPO, and then click Edit.
  4. In the Group Policy Management Console (GPMC), click Computer Configuration, Windows Settings, Security Settings, and then click Public Key Policies.
  5. Double-click Certificate Services Client — Auto-Enrollment.
  6. Select the Enroll certificates automatically checkbox to enable autoenrollment. If you are enabling certificate autoenrollment, you can optionally select the following checkboxes:
  7. Renew expired certificates, update pending certificates, and remove revoked certificates
  8. Update certificates that use certificate templates
  9. Click OK to accept your changes.

To configure certificate templates for autoenrollment

  1. On the CA, taskbar, open the Certification Authority snap-in.
  2.  In the console pane, expand the CA. Right-click Certificate Templates and then click Manage.
  3. Select the certificate template that you want to enable for autoenrollment.
  4. On the Action menu, click Properties, and then click the Security tab.
  5. Select or add the user or group that you want to permit for autoenrollment.
  6. In the Permissions for Authenticated Users list, select Read, Enroll, and Autoenroll in the Allow column, and then click OK and Close to finish.


The enterprise CA does not require autoenrollment configuration, but the certificate templates that you have enabled for autoenrollment must be assigned to the CA before client computers can automatically enroll for those certificates.

To assign certificate templates to an enterprise CA

  1. On the CA, open the Certification Authority snap-in.
  2. In the console tree, click Certificate Templates.
  3. On the Action menu, point to New, and then click Certificate Template to Issue.
  4. Select the certificate template that you enabled for autoenrollment, and click OK.

User auto-enrollment should be enabled when an enterprise CA is installed

To automatically enroll client computers for certificates in a domain environment, you must:

  • Configure an autoenrollment policy for the domain.
  • Configure certificate templates for autoenrollment.
  • Configure an enterprise CA.

To configure autoenrollment Group Policy for a domain

  1. On a domain controller, open the Group Policy Management console.
  2. In the console tree, double-click Group Policy Objects in the forest and domain containing the Default Domain Policy Group Policy object (GPO) that you want to edit.
  3. Right-click the Default Domain Policy GPO, and then click Edit.
  4. In the Group Policy Management Console (GPMC), click User Configuration, Policies, Windows Settings, Security Settings, and then click Public Key Policies.
  5. Double-click Certificate Services Client — Auto-Enrollment.
  6. In the Configuration Model, select Enabled to enable autoenrollment.
  7. If you are enabling certificate autoenrollment, you can select the following checkboxes:
  8. Renew expired certificates, update pending certificates, and remove revoked certificates
  9. Update certificates that use certificate templates
  10. Expiration notification
  11. Click OK to accept your changes.

To configure certificate templates for autoenrollment

  1. On the CA, open the Certification Authority snap-in.
  2. Expand the CA. Right-click Certificate Templates and then click Manage.
  3. Select the certificate template that you want to enable for autoenrollment.
  4. On the Action menu, click Properties, and then click the Security tab.
  5. Select or add the user or group that you want to permit for autoenrollment.
  6. In the Permissions for Authenticated Users list, select Read, Enroll, and Autoenroll in the Allow column, and then click OK and Close to finish.

Note, The Autoenroll permission is not available in version 1 certificate templates. You must either select a version 2 or version 3 template, or duplicate a certificate template to create a version 2, version 3, or version 4 certificate template in order to see the Autoenroll permission.

The enterprise CA does not require auto-enrollment configuration, but the certificate templates that you have enabled for auto-enrollment must be assigned to the CA before client computers can automatically enroll for those certificates.

To assign certificate templates to an enterprise CA

  1. On the CA, open the Certification Authority snap-in.
  2. In the console tree, click Certificate Templates.
  3. On the Action menu, point to New, and then click Certificate Template to Issue.
  4. Select the certificate template that you enabled for auto-enrollment, and click OK.

CDP locations should be included in the extensions of issued certificates

Clients may not be able to locate a CRL to check the revocation status of a certificate, and certificate validation may fail. Certificate validation is critical to a correctly functioning public key infrastructure (PKI). Many applications require revocation status checking during certificate validation. The CRL is retrieved by the revocation provider, which reads the CRL distribution point extension of issued certificates to identify the network location of the CRL. If the extension does not include the location of the CRL, then certificate validation cannot be completed and might cause application failure.

To configure CRL distribution point extension settings:

  1. On the CA, open the Certification Authority snap-in.
  2. In the console tree, right-click the CA, and then click Properties.
  3. Click the Extensions tab.
  4. In Select extension, click CRL Distribution Point.
  5. If the Specify locations list does not include a valid location for the CRL, click Add to open the Add Location dialog box, and type a valid location. Click OK to save the location. Repeat to add multiple locations.
  6. In the Specify locations list, click a location, and then select the Include in the CRL distribution point extension of issued certificates checkbox.
  7. Click OK to save changes. Active Directory Certificate Services must be restarted for the change to take effect.

CDP locations should include the CRL name suffix:

Clients may not be able to locate the correct version of the CRL to check the revocation status of a certificate, and certificate validation may fail. If substitution variables are not used, the extension settings must be manually updated when a CRL is published. Manual configuration increases administration costs and presents a potential for error and delay between CRL publishing and CA configuration. Certificates issued with inaccurate CRL locations might cause application failure if the application requires revocation status to validate certificates.

  1. On the CA, open the Certification Authority snap-in.
  2. In the console tree, right-click the CA, and then click Properties.
  3. Click the Extensions tab.
  4. In Select extension, click CRL Distribution Point.
  5. If the Specify locations list does not include a valid location for the CRL, click Add to open the Add Location dialog box.
  6. Click OK to save the location. Repeat to add multiple locations.
  7. In the Specify locations list, click a location, and then select the Include in the CRL distribution point extension of issued certificates checkbox.
  8. Click OK to save changes. Active Directory Certificate Services must be restarted for the changes to take effect.

The CRL publication interval for a stand-alone root CA should be at least 30 days

An offline or stand-alone CA may not be able to automatically publish updated CRLs. If updated CRLs are not published to their CRL distribution points, revocation checks on certificates issued by the CA may fail.


Use the Certification Authority snap-in to set the CRL publication interval to 30 days or longer. To configure the CRL publication interval

  1. On the CA, open the Certification Authority snap-in.
  2. In the console tree, double-click the root CA to display certificate containers.
  3. Right-click the Revoked Certificates container, and click Properties.
  4. Next to CRL publication interval, type a number that is 180, and select Days.
  5. Click OK to save changes.

The web server should allow URI containing the “+” character to enable publishing of delta CRLs

If the Web server that hosts the delta CRL is running IIS 7.0, then ensure that allowDoubleEscaping=True in the applicationHost.config file. To configure request filtering

  1. On the Web server, open Server Manager.
  2. Double-click Roles, double-click Web Server (IIS), and then click IIS Manager.
  3. In the console tree, click the virtual directory that hosts the CRL.
  4. In the Features view, double-click Request Filtering.
  5. In the actions view, click Edit Feature Settings.
  6. Select the Allow Double Escaping checkbox.

Web server role should be installed if authority information access (AIA) extension URIs refer to the local webserver

Web server role should be installed if CRL distribution point (CDP) extension URIs refer to the local webserver