Host CRL and AIA for your internal PKI in Microsoft Azure Web App

When you have an internal PKI solution you have to consider where to host your CRL and AIA. They are both important  and must be available for the client when your internal certificates are in use. By default (but you should never use default settings in PKI) the files are stored in the CA server and available through SMB and HTTP (and LDAP if domain joined). Not only do you have to make your CA server available through these ports but if your clients are outside the company network then your CA must be available there as well. Needless to day, this is not a good practice.

Normally you would publish CRL and AIA on a webserver in your DMZ, make it redundant and such, but if you’re going through all that work you might as well use the opportunity to take it all the way to the cloud. Microsoft Azure can provide cheap (or even free) website where the CRL and AIA can be published and it will be globally available and redundant.

If you are new to Microsoft Azure then this is a very good opportunity to take the first step and learn the basics about it. Although the CRL and AIA are important, this solution is easy to implement and you get to learn the basics of Azure as you go.

Set up Azure web app

You need to register an account in Microsoft Azure first and there create a new Resource Group with a logical name. Inside the resource group I suggest you first make an App service Plan before you create the web app itself.

Under “App service plan/Location” you can choose to set up the pricing and location (which azure data center) you want to store the website. In this example I chose an existing app service plan. After the website is created you can create additional App service plans and later just assign your websites to these.


Pricing and features

In “App services” you can add “App service plan” and select another pricing tier. Notice you get a brief summary of features available along with a rough price estimation pr month. For the CRL and AIA you won’t need a lot of processing power, storage space or deployment slots. If you want to use your custom domain name then “D1 Shared” is the minimum pricing tier. It is not available in the free tier. Without custom domain name your URL for CRL and AIA will be “(yourwebsitename)” which will work perfectly but you can’t bring that domain name with you if you want to host your CRL and AIA somewhere else at a later time. In that case you have to renew all CA certs, and their issued certs with updated URL to the CRL and AIA or stick with Azure web app. So I recommend using your own domain name for the flexibility it provides.


When you have the proper pricing tier selected you can register your custom domain with the app service. Select “Custom domain” on the left side when you are in the web app and follow the instructions there.

Double escaping

The delta CRL has a ‘+’ in the end of the filename s in order for this to work you have to enable double escaping on the website or the delta CRL will be unavailable. There are no settings for this in the GUI as I am aware of, but you can create a new text file named “web.config” (no .txt extension)  with the following content and upload it to the root of the web app (site/wwwroot).

<?xml version=”1.0″ encoding=”utf-8″ ?>
<requestFiltering allowDoubleEscaping=’true’ />


Upload the files

There are many ways to upload both the cert-files and the web.config file up to the azure Web app and I won’t cover all the options here. If you go to “Properties” on the web app you will find all the information you need to upload files to the website in different ways. In “deployment options” you find options for source control and deployment. For my private PKI I picked a simple scheduled task which opens and FTP session and uploads the cert-files and web.config into /site/wwwroot in Azure using WinSCP which is my favorite FTP client.


Thanks for reading everyone. Wish you all a happy new year