Microsoft ADCS – How to Redirect the HTTP URLs for CDP and AIA from old CA to new CA

2013-03-01 Initial Post

Microsoft's Active Directory Certificate Services (ADCS) is a type of certification authority (CA) (a lot of people misspell that as "certificate" authority). A CA issues x.509 (a standard for digital certificates) formatted certificates for computer security purposes. When an organization sets up its own Certificate Services infrastructure, that essentially becomes its public key infrastructure (PKI). ADCS functions as a CA in a PKI and the CA and all its supporting systems are the PKI. You might see all three terms used interchangeably, and many documents just refer to a server running ADCS as "the CA."

Recently I had to upgrade/migrate a Windows Server 2003 SP2 Certificate Services server to a new Windows Server 2008 R2 SP1 server. The old server also had Rights Management Services (RMS) installed, so we had to keep that running and could not rename the server because that would break RMS.

Since we had to migrate CS to a server with a new name, that created some additional challenges. Microsoft has a pretty clear document, Active Directory Certificate Services Upgrade and Migration Guide, that covers all the steps except for how to redirect the HTTP URL for the CDP (certificate revocation list distribution point) and AIA (authority information access [basically this is just a URL to the the root CA certificate file]) from the old CA to new CA. There are several articles from MS and other sites/blogs on how to upgrade/migrate CS, but they don't clearly explain (or even skip) how to redirect the HTTP URLs for the CDP and AIA.

The CDP is important because some applications/browsers will warn the user or might restrict access to a resource whose certificate CDP cannot be accessed (of all the browsers I tested, Safari actually gave a warning when the CDP wasn't accessible). There are many articles on how certificate revocation works, so I won't elaborate on that, but know that the CRL/CDP is an important component of a PKI. By redirecting the CDP URL, you end up redirecting the AIA URL also. Note that I'm only discussing the HTTP URLs here.

There are also LDAP URLs but they are easily "redirected" via the steps in the Directory Certificate Services Upgrade and Migration Guide. Basically you would have the new CA also publish the CRL to the old LDAP path along with its own path. Clients that still reference the old path will get the latest CRL.

Here are my instructions for redirecting the HTTP URLs for CDP and AIA from old CA to new CA, in PDF format: Microsoft ADCS

Tags: , ,

Leave a Reply