Root CA AIA Extenstions

Hi All,

I have a question regarding the AIA locations for my PKI infra. My environment;

Two Tier – Offline root and 4 issuing servers (all in root domain) All servers are server 2012 STD.

My offline root CA shows the http URL for AIA under the extensions tab in Root CA properties.

My issuing CA = shows, the HTTP URL, the LDAP and OCSP URL entries for AIA under the extensions tab in Issuing CA properties.

Each certificate shows the following information in the AIA field

Root CA Certificate (self signed)

No AIA information.

Issuing Server Certificates

[1]Authority Info Access

    Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.xx.2)

    Alternative Name:

         URL=http://pki.x.com/pki/x%20x%20Root%20CA.crt

Client Certificates

[1]Authority Info Access

    Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.xx.2)

    Alternative Name:

         URL=http://pki.x.com/pki/x%20x%20Issuing%20CA%201(1).crt

[2]Authority Info Access

    Access Method=On-line Certificate Status Protocol (1.3.6.1.5.5.7.xx.1)

    Alternative Name:

         URL=http://ocsp.x.com/ocsp

[3]Authority Info Access

    Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.xx.2)

    Alternative Name:

         URL=ldap:///CN=x%20x%20Issuing%20CA%201,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=x,DC=x?cACertificate?base?objectClass=certificationAuthority

My questions are;

1. Should the root CA have the LDAP entry as part of its AIA extensions or is it Ok with just the HTTP URL?
2. In what instance should the root CA have the LDAP AIA extension – only when it is online?
3. When I update my root CRL or root cert I have to manually copy over the cr* files and publish them to AD using the certutil –dspublish commands. If the issuing CA’s aren’t looking in AD for the root cert are there any repercussions I should be aware about. (part of my procedure to update the root cert and CRLs is to copy the files via a script to all the http locations)
4. If the HTTP locations go down – does it mean that issuing CA’s won’t look in AD to pull down the root certificate?

I am pretty sure my setup is ok, but I just wanted some validation.

Thanks