Skip to content

Publish CDP and AIA on Azure CDN

In this blog post I will demonstrate how to create and configure Azure blob storage combined with Azure CDN (content delivery network) to act as a highly available CDP and AIA location.

Requirements for this setup are:

  • Microsoft PKI
  • Azure Storage Account
  • Azure CDN
  • AzCopy


My overall design for this setup is like this.


Copy CRT and CRL’s to Azure blob storage

Go to

create or edit an existing blob storage account.


take note or copy one of the access keys for later use when configuring the copy job.


On the issuing CA, download and install AzCopy from

Create a PowerShell script with the following command

/Dest:  =  Storage account

/DestKey: = Access Keyblob2

Files are now uploaded to the Azure Blob Storage Account


On the Issuing CA create a scheduled task running the copy job everyday @ 1:00 am.

This is an example copy job in XML format. Can be imported to Windows Task Scheduler


Go to and create a CDN profile


Create a CDN endpoint and point origin to  the blob storage folder “pki”


Configure the endpoint name (CDN url) to match the URL you are planning to put in the http CDP and AIA in all your leaf certificates.

Or preferrably You can type a random name and point your own domain to the CDN url.



now, from a public connection you should be able to access and download crl og crt files.



In the previous steps I have configured the CDP and AIA locations to a public available http address. This is because I want to enable revocation checking for roaming clients on the internet.

For servers without access to internet and clients on the same LAN connection, we must create a DNS record pointing to an internal web server serving CDP and AIA.



Published inActive DirectoryITPKIWindows Azure


  1. Nice. I’m looking into setting up a new two-tier PKI, and am weighing up whether to go this route or to simply publish the CDP and AIA via Azure AD App Proxy. Then benefit of your method is that it’s resilient and highly available without much effort.

    • jesper jesper

      Hi Daniel, did You finish Your PKI? I never thought about using Azure AD App Proxy or Web Application Proxy for this but it would work.
      However, it would defer from PKI best practices if You published CDP and AIA directly from the Certificate Authority.

      Kind regards

Leave a Reply

Your email address will not be published. Required fields are marked *