In this blog post I will demonstrate how to create and configure Azure blob storage combined with Azure CDN (content delivery network) to act as a highly available CDP and AIA location.
Requirements for this setup are:
- Microsoft PKI
- Azure Storage Account
- Azure CDN
- AzCopy
My overall design for this setup is like this.
Copy CRT and CRL’s to Azure blob storage
Go to portal.azure.com
create or edit an existing blob storage account.
take note or copy one of the access keys for later use when configuring the copy job.
On the issuing CA, download and install AzCopy from https://azure.microsoft.com/en-us/documentation/articles/storage-use-azcopy/
Create a PowerShell script with the following command
/Dest: = Storage account
/DestKey: = Access Key
Files are now uploaded to the Azure Blob Storage Account
On the Issuing CA create a scheduled task running the copy job everyday @ 1:00 am.
This is an example copy job in XML format. Can be imported to Windows Task Scheduler
CDN
Go to portal.azure.com and create a CDN profile
Create a CDN endpoint and point origin to the blob storage folder “pki”
Configure the endpoint name (CDN url) to match the URL you are planning to put in the http CDP and AIA in all your leaf certificates.
Or preferrably You can type a random name and point your own domain to the CDN url.
example: crl.fabrikam.com
now, from a public connection you should be able to access and download crl og crt files.
DNS
In the previous steps I have configured the CDP and AIA locations to a public available http address. This is because I want to enable revocation checking for roaming clients on the internet.
For servers without access to internet and clients on the same LAN connection, we must create a DNS record pointing to an internal web server serving CDP and AIA.

Nice. I’m looking into setting up a new two-tier PKI, and am weighing up whether to go this route or to simply publish the CDP and AIA via Azure AD App Proxy. Then benefit of your method is that it’s resilient and highly available without much effort.
Hi Daniel, did You finish Your PKI? I never thought about using Azure AD App Proxy or Web Application Proxy for this but it would work.
However, it would defer from PKI best practices if You published CDP and AIA directly from the Certificate Authority.
Kind regards
Jesper