Share via

PKI How to set manually AIA and CDP file name for a subordinate CA

Darkmoutch 0 Reputation points
2025-03-13T14:27:00.2033333+00:00

Hello,
I would like to know how to change the AIA file name on an intermediate CA.

I can change the name of the CRL file with the "Extensions" tab of my intermediate CA and work well.
But I don't know how to change the default name of the AIA file...
By default the name is "<ServerDNSName>_<CANAME><CertificatName>.crt" and if I want to force personnalized name file (ex : c:\Windows\system32\certsrv\certEnroll*MySubCa.crt)* and restart service, a new crt file is generated, but with the default name.

Force a new file name with the CDP extensions is possible, but for AIA seems not ?

Thanks you very much for your answer.

Windows for business | Windows Server | User experience | Other
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Chen Tran 1,645 Reputation points Independent Advisor
    2025-08-11T10:22:47.8766667+00:00

    Hello,

    Thank you for posting question on Microsoft Windows Forum.

    Based on your query of changing the AIA file name on an intermediate CA. Actually, changing the AIA (Authority Information Access) file name for an intermediate CA isn't as straightforward as modifying the CDP (CRL Distribution Point) file names. The AIA file name is generated automatically based on the CA's configuration. The default naming convention <ServerDNSName>_<CAName><CertificateName>.crt is hardcoded into the CA service for AIA files. Unlike CDP, Microsoft does not expose a direct GUI or simple configuration to fully customize the AIA filename.

    You can consider the following suggestions as workarounds.

    1. Copy/duplicate the file under your preferred name
      • Keep the default publication so AD CS manages it normally.
      • After service start or renewal, copy the latest CA cert to your desired name inside the same CertEnroll directory.
      • Point your HTTP AIA URL to the stable “friendly” filename.
    2. Create an IIS rewrite/alias
      • Leave the physical file with the default name.
      • Use IIS URL Rewrite to serve “MySubCa.crt” while mapping it internally to the actual file. This avoids file copies and lets you keep a stable public URL.
    3. Publish to AD (LDAP AIA) and keep HTTP minimal
      • Many domain‑joined clients will fetch the issuing CA cert from LDAP automatically.
      • Keep the HTTP AIA with the default filename and rely on LDAP for resilience. This sidesteps the filename requirement unless a device explicitly needs the HTTP path and a fixed name.

    You can refer to the following article for more information.

    https://learn.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-the-cdp-and-aia-extensions-on-ca1

    Hope the above information is helpful!

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.