Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The Authority Information Access (AIA) extension in X.509 certificates specifies a URL where the issuing Certificate Authority (CA) certificate can be obtained. If a system is unable to build a complete certificate trust chain using only the certificates in its local store, it might attempt to download missing intermediate certificates from the network using the AIA URL. AIA automates the retrieval of missing certificates and minimizes the manual effort required to update local certificate stores.
The automatic retrieval helps complete the trust chain but can introduce security risks if not properly managed. To enhance security, ensure that your certificate stores are properly configured and contain only certificates from trusted CAs. You can further strengthen your environment by disabling AIA retrieval system-wide. This forces Windows APIs to build certificate chains exclusively from certificates already present in the local store, reducing the risk of inadvertently trusting unverified or malicious certificates retrieved from external sources. Adopting this defense-in-depth strategy helps safeguard your systems against unauthorized or unexpected certificate trust paths.
Best practices for managing your CAs include:
Keep the list of trusted root and intermediate CAs up-to-date. This involves regularly updating the local certificate store with new or updated certificates from trusted sources.
Ensure intermediate certificates are consistently added to the local store, especially if AIA retrieval is disabled. This prevents potential disruptions in certificate validation.
Conduct regular audits of the certificate store to identify and remove expired or untrusted certificates. This practice helps maintain trustworthiness and reduces security risks associated with outdated certificates.
Prerequisites
To make changes to the AIA, you must be a member of the Administrators, Domain Admins, or Enterprise Admins security group.
Manage AIA retrieval
To disable AIA retrieval system-wide in your environment, follow one of these methods:
Select Start, type gpedit, and select Edit group policy.
Navigate to Computer Configuration\Windows Settings\Security Settings\Public Key Policies and open Certificate Path Validation Settings.
Select the Network Retrieval tab. Select Define these policy settings, uncheck Allow issuer certificate (AIA) retrieval during path validation, then select OK.
If you need to reenable AIA retrieval, uncheck Define these policy settings and then select OK.
Retrieve AIA status
By default, AIA is enabled on your device. AIA retrieval is triggered by the CCertChainEngine::GetIssuerUrlStore() function in crypt32.dll. The CERT_CHAIN_DISABLE_AIA and CERT_CHAIN_ENSABLE_AIA is set in the dwFlags passed to create the engine or in the call to CertGetCertificateChain. To retrieve your current AIA status, run the following command:
$registryPath = "HKLM:\Software\Policies\Microsoft\SystemCertificates\ChainEngine\Config"
$propertyName = "Options"
try {
$regCheck = (Get-ItemProperty -Path $registryPath -Name $propertyName -ErrorAction Stop).$propertyName
switch ($value) {
0 { "AIA is Enabled" }
2 { "AIA is Disabled" }
default { "Unexpected value: $regCheck" }
}
} catch {
"AIA has not been set"
}