Another question for our new PKI design.
Most of the issued certificates will be used by domain clients and users. However, we will also use certificates for DirectAccess, which means CRL and AIA checking must also work for internet clients.
As far I understand the documentation, the URL's defined for CDP and AIA checking are checked in order. Let's say a I configure the following CDP's paths, and enable the option "Include in CDP extension of issued certificates":
1. HTTP
2. LDAP
Is it true that all clients (internal and external) will use option 1 first, and do a fallback to option 2? Basically this means that domain clients will never check LDAP (well at least as URL 1 is accessible)?
When I change the order to LDAP first, so:
1. LDAP
2. HTTP
Will this mean the CRL and AIA checking for internet clients will take a lot of extra time? First it tries to access the LDAP path, and after some time it falls back to HTTP? Or are internet clients smart enough to skip the LDAP path?
Another thing I don't like of publish in the AD, is that your AD configuration comes back in every issued certificate.