Windows Certificate Authority server

A default installation of a Microsoft PKI running Windows includes LDAP URL's as first within CRL distribution points (CDP's) and Authority Information Access (AIA).

Question 1 :

I want to issue a certificate from my windows certificate authority server to Cisco DNA device but want my HTTP-type CRL being included as first with my certificate and internal LDAP URL's as second within CDP and AIA extensions

Question 2 :

I want to issue a certificate from my windows certificate authority server to Cisco DNA device but want only HTTP-type CRL being included with my certificate and remove internal LDAP URL's within CDP and AIA extensions

Please let me know if anyone of this configuration is possible with the certificate that can be issued from windows certificate authority ?

Yes, both are possible. But do note that these are server wide settings, so the values will be the same for all issued certificates.

The setting is on the CA's properties, under Extensions. However, you cannot reorder them from there without deleting them and adding them in the required order. However, you can delete the line you don't need quite easily.

It is probably easier to find the setting in the registry (after making a backup of course) then reordering them there. Look under:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<CA Name>\

You'll find CACertPublicationURLs and CRLPublicationURLs. Both are multi-strings (multi-line strings). Either re-order, or remove the entries you don't need, ensuring the last line is a blank line. Once you've done that, restart the CA service.

Note that Microsoft recommend not using LDAP for both CRL and CA certificates (AIA), so if you want to follow their recommendation, simply remove the LDAP lines either in the GUI or in the registry.