Since Windows Server 2003, Microsoft has made the installation of Active Directory Certificate Services increasingly straightforward. After a few clicks and an appropriate wait, your Certificate Authority (CA) should be ready to use and issue certificates. That’s the good news.
However, as SSL encryption becomes more necessary and widespread, more and more clients, devices, and applications need to leverage an internal CA, and many of those require some non-default settings to be configured on CA.
Lync MX (the new Lync Client for mobile devices) is a great example. It requires alterations to the published locations of the Certificate Revocation List (CRL). Here’s a quick run through of the changes you’ll need to make to get these services working well.
Open the Certification Authority MMC, and the properties of the CA itself, then select the “Extensions” tab. It should look something like this:
You’ll notice I’ve selected the https:// location and that it is not included in CRLs or the CDP (CRL Distribution Point). This is one of the settings that Lync MX clients (or, potentially, any non-domain device) will require in order to verify that certificates have not been revoked. By default, the CRL is published only into Active Directory, which works very well for domain members. When servicing non-domain devices, however, an https:// location is required.
Checking the “Include in CRLs” and “Include in the CDP Extension” boxes will include that https:// location in certificates as they are issued.
Lync MX also requires that the Authority Information Access (AIA) also be published via https://. You can find the AIA settings in the “Select Extension” menu at the top of this window:
Check the “Include in the AIA extension” box, click OK, and restart the CA service when prompted and you’ll be able to issue certificates that include https:// locations in the their CRLs, as well as the CDP and AIA extensions.
Shane Skriletz, PEI