In this blog post I will demonstrate how to create and configure Azure blob storage combined with Azure CDN (content delivery network) to act as a highly available CDP and AIA location.
Requirements for this setup are:
- Microsoft PKI
- Azure Storage Account
- Azure CDN
My overall design for this setup is like this.
Copy CRT and CRL’s to Azure blob storage
Go to portal.azure.com
create or edit an existing blob storage account.
take note or copy one of the access keys for later use when configuring the copy job.
On the issuing CA, download and install AzCopy from https://azure.microsoft.com/en-us/documentation/articles/storage-use-azcopy/
Create a PowerShell script with the following command
/Dest: = Storage account
/DestKey: = Access Key
Files are now uploaded to the Azure Blob Storage Account
On the Issuing CA create a scheduled task running the copy job everyday @ 1:00 am.
This is an example copy job in XML format. Can be imported to Windows Task Scheduler
Go to portal.azure.com and create a CDN profile
Create a CDN endpoint and point origin to the blob storage folder “pki”
Configure the endpoint name (CDN url) to match the URL you are planning to put in the http CDP and AIA in all your leaf certificates.
Or preferrably You can type a random name and point your own domain to the CDN url.
now, from a public connection you should be able to access and download crl og crt files.
In the previous steps I have configured the CDP and AIA locations to a public available http address. This is because I want to enable revocation checking for roaming clients on the internet.
For servers without access to internet and clients on the same LAN connection, we must create a DNS record pointing to an internal web server serving CDP and AIA.