Hello all,
I'm planning a new (2 tier) PKI with Windows 2012 R2. Older literature recommends publishing CA Certificates and Certificate Revocation Lists to LDAP and Webservers, which is not recommended today. Most up-to-date recommendations say "Publish HTTP only".
I agree on this point, and I'll add only HTTP paths to my certificates for CDP & AIA extensions. However, what would be the downside of publishing the CRT and CRL files to my Active Directory using certutil -dspublish, too?
Andrzej says in his
blog post "As HTTP is recommended path to publish CRT and CRL there is no need to use CDP and AIA with LDAP and to publish them to AD." And yes, there might be no NEED for this. But Brian says in his book Windows Server 2008 PKI and Certificate
Security "The processing of Group Policy triggers the autoenrollment mechanism, initiating the automatic download for any certificates or CRLs published in AD DS to the forest members."
I understand that as: Domain-joined Windows clients do not have to contact the Web Server in CDP/AIA of a certificate, because both, CRL and CRT, are already obtained from the client, if the files are published to Active Directory.
So wouldn't in it be the best practice to publish only http paths to:
- Publish http paths only for CDP and AIA information in issued certificates for highest compatibility and least information leak
- But still publish the actual CRLs and CRTs to Active Directory to increase availability and decrease traffic over WAN (because AD is already decentralized) for domain members
What's your opinion on this? And does anyone have more detailed information of how exactly a Windows client does certificate chaining and revocation checking?
Michael
