Based on the guide "AD CS Step by Step Guide: Two Tier PKI Hierarchy Deployment", I'll have both internal and external users (with a CDP in the DMZ) so I have a few questions regarding the configuration of AIA/CDP.
From here: http://technet.microsoft.com/en-us/library/cc780454(v=ws.10).aspx
A root CA certificate should have an empty CRL distribution point because the CRL distribution point is defined by the certificate issuer. Since the roots certificate issuer is the root CA, there is no value in including a CRL distribution point for the root CA. In addition, some applications may detect an invalid certificate chain if the root certificate has a CRL distribution point extension set.A root CA certificate should have an empty CRL distribution point because the CRL distribution point is defined by the certificate issuer.
- To have an empty CDP do I have to add these lines to the CAPolicy.inf of the Offline Root CA:
Empty = true
- What about the AIA? Should it be empty for the root CA?
- Using only HTTP CDPs seems to be the best practice, but what about the AIA? Should I only use HTTP?
- Since I'll be using only HTTP CDPs, should I use LDAP Publishing? What is the benefit of using it and what is the best practice regarding this?
- If I don't want to use LDAP Publishing, should I omit the commands: certutil -f -dspublish "A:\CA01_Fabrikam Root CA.crt" RootCA / certutil -f -dspublish "A:\Fabrikam Root CA.crl" CA01
Thank you,