I'm running EJBCA 7_4_3_2 and I'm trying to set my custom "Default CRL Distribution Point" and "OCSP service Default URI" on Adminweb GUI (Certification Authorities -> EditCA).
After setting values for these fields I can successfully download .crl/.crt files via my ditribution points. But the files contain no fields with information on the distribution points (or Authority Information Access) I set. Then I create a new certificate profile and set values for "CRL Distribution Point URI" and "OCSP Service Locator URI". Based on my newly created certificate profile I create a new root CA, and then my downloaded files contain fields with AIA and CRL distribution points.
Let me please ask you, should I always create/edit a certificate profile for setting AIA/CRL DP parameters so that they appear in downloaded files (certificates and CRLs)? Or can I somehow set DPs by only editing CA?
Thank you.
Last edit: Victoria Naumenko 2021-11-03
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The "default" values set in the CA configuration are convenience options to not have to specify the same URL in all certificate profiles. You must always specify to use a CDP in the relevant certificate profile(s). In the certificate profile(s) you can select to use the default value configured in the CA.
So the answer is Yes, you must always specify the AIA in certificate profile(s).
Cheers,
Tomas
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi,
I'm running EJBCA 7_4_3_2 and I'm trying to set my custom "Default CRL Distribution Point" and "OCSP service Default URI" on Adminweb GUI (Certification Authorities -> EditCA).
After setting values for these fields I can successfully download .crl/.crt files via my ditribution points. But the files contain no fields with information on the distribution points (or Authority Information Access) I set. Then I create a new certificate profile and set values for "CRL Distribution Point URI" and "OCSP Service Locator URI". Based on my newly created certificate profile I create a new root CA, and then my downloaded files contain fields with AIA and CRL distribution points.
Let me please ask you, should I always create/edit a certificate profile for setting AIA/CRL DP parameters so that they appear in downloaded files (certificates and CRLs)? Or can I somehow set DPs by only editing CA?
Thank you.
Last edit: Victoria Naumenko 2021-11-03
The "default" values set in the CA configuration are convenience options to not have to specify the same URL in all certificate profiles. You must always specify to use a CDP in the relevant certificate profile(s). In the certificate profile(s) you can select to use the default value configured in the CA.
So the answer is Yes, you must always specify the AIA in certificate profile(s).
Cheers,
Tomas