Certificate format and content (X.509)
Is the digital signature correct?
Is the certificate still within its validity period?
- HTTP will function for all clients and is the preferred method. LDAP will function only for domain-joined Windows machines (at least by default and without granting anonymous access to unauthenticated users). If both locations are used, HTTP should be used first. This is achieved by making it the first URL in the AIA and CDP properties of these registry keys (on the issuing CA):
HKLM\System\CurrentControlSet\Services\CertSvc\Configuration\<Name of CA>\CACertPublicationURLs
HKLM\System\CurrentControlSet\Services\CertSvc\Configuration\<Name of CA>\CRLCertPublicationURLs
- If clients use certificates outside the internal network, the AIA and CDP publication points must be accessible externally. In this case, http would be the better access method, either alone or with priority over ldap, since we would probably not want our domain controllers to be directly accessible from the outside world.
- The certificate chaining engine will attempt to access the first URL for 10 seconds and if that fails, the second URL (if present). If we have many non-Windows clients, that is why would should place the http url first (assuming we use ldap at all).
- As stated in my blog post on certificate revocation, delta CRLs are almost never needed.