I'm new with ADCS, and need to confirm some things. I've set up a 2-tier PKI, and have placed the offline root CA certificate (CRT) and CRL files on a web server. When I configured the CDP and AIA extensons for certs issued from the root, I hard-coded the full http URL, including the CRL /CRT file names. For example http://cdp.mydomain.com/CertEnroll/myrootca.crl
Now I am wondering how bad a choice that was. I did not use any substitution variables as I should have.
The root CA is not going to be using delta CRLs, so I am thinking the CRL file name will not change, and can be replaced with the same file name every time it is renewed. Is this correct? As for the AIA extension, I did not check to include it in issued certs. We don't plan to issue or use certs with non-domain machines. I am thinking domain machines will find the root certificate in AD, or via Group Policy anyway.
If it turns out these hard coded URL paths will become a problem, Is it possible to update them now, and the next time I renew my issuing CA's cert from the root it will have the updated, dynamic CDP at that point? I hope I don't have to remove everything
and start over, but that's still an option since I've only just issued the one CA cert from my root.