I'm currently desiging a new PKI infrastructure and thinking about the CPD and AIA extensions of the root and issuing CAs.
There is more than enough documention to find, but (almost) everyone is using the same kind of syntaxes to build the CDP and AIA urls. An AIA extension URL for example:
http://pki.fabrikam.com/CertEnroll/<ServerDNSName>_<CaName><CertificateName>.crt
This means that every issued certificate gets the following AIA URL in its extension:
http://pki.fabrikam.com/CertEnroll/myrootca_Fabrikam%20Ltd.%20Root%20Certification%20Authority.crt
I don't like this URL at all. First of all you expose the name of your CA server, second of all it contains illegal URL characters (.) and third of all, with the %20 in it (spaces) it looks ugly.
Is there any reason, why I just shouldn't skip all this variables and use the following name in the AIA/CDP extensions URL, e.g.:
http://pki.fabrikam.com/certenroll/contoso-rca.crt