Publish CDP and AIA on Azure CDN

In this blog post I will demonstrate how to create and configure Azure blob storage combined with Azure CDN (content delivery network) to act as a highly available CDP and AIA location.

Requirements for this setup are:

• Microsoft PKI
• Azure Storage Account
• Azure CDN
• AzCopy

 

My overall design for this setup is like this.

Copy CRT and CRL’s to Azure blob storage

Go to portal.azure.com

create or edit an existing blob storage account.

take note or copy one of the access keys for later use when configuring the copy job.

On the issuing CA, download and install AzCopy from https://azure.microsoft.com/en-us/documentation/articles/storage-use-azcopy/

Create a PowerShell script with the following command

/Dest:  =  Storage account

/DestKey: = Access Key

Files are now uploaded to the Azure Blob Storage Account

On the Issuing CA create a scheduled task running the copy job everyday @ 1:00 am.

This is an example copy job in XML format. Can be imported to Windows Task Scheduler

CDN

Go to portal.azure.com and create a CDN profile

Create a CDN endpoint and point origin to  the blob storage folder “pki”

Configure the endpoint name (CDN url) to match the URL you are planning to put in the http CDP and AIA in all your leaf certificates.

Or preferrably You can type a random name and point your own domain to the CDN url.

example: crl.fabrikam.com

 

now, from a public connection you should be able to access and download crl og crt files.

DNS

In the previous steps I have configured the CDP and AIA locations to a public available http address. This is because I want to enable revocation checking for roaming clients on the internet.

For servers without access to internet and clients on the same LAN connection, we must create a DNS record pointing to an internal web server serving CDP and AIA.