Large CRLs cause intermittent certificate-based authentication failures in Azure AD

To resolve this issue, try putting large CRLs into Azure Storage and then modify the CrlDistributionPoint and DeltaCrlDistributionPoint attributes of the Trusted Certificate Authority objects in Azure AD to reference these new URLs.

Note There's no need to issue new user certificates with these new CRLs in them. Azure AD does not leverage the certificate distribution points that are present in the user's certificates. This means that the CRL endpoints listed on the Trusted Certificate Authority objects can be any valid URL that points to a current CRL.

First, use one of the following methods below to move the CRLs from their current location to Azure Storage. After the files have been uploaded to Azure Storage, modify the CrlDistributionPoint and DeltaCrlDistributionPoint attributes on the trusted certificate authority objects in the tenant to point to the new CRL endpoints.

Put the CRLs in Azure Storage

Method 1

1. Verify that the correct subscription is selected by running the following command line:
   
   
   PS C:\> Get-AzureSubscription
   
   Note If nothing is returned, run Add-AzureAccount -Tenant <tenantID>.
   
2. If more than one subscription is returned, and the subscription with the storage account where the CRL files will be stored is not set to True for IsDefault and IsCurrent, run the following command. (Otherwise go on to the next step.)
   
   
   Select-AzureSubscription -SubscriptionName "Subscription Name"
3. Declare the location where the CRLs currently are published by the certificate authorities:
   
   
   $srcUri0 = "http://crl.contoso.com/crl/RootCA.crl"
   
   Note This should be the location that is too slow and that triggers gateway timeouts.
4. Log in to https://portal.azure.com, and then open the Storage Accounts blade:
   1. Select the storage account that will host the CRL files. Copy the name from the blade to Notepad.
   2. Click Access keys, click the Click to copy button to the right of the first or second key, and then paste the access key into Notepad together with the name of the storage account.
5. Declare Storage Account credentials:
   
   $storageAccount = "<store name>"
   $storageKey = "tcKqSqVr08rTXrc6v+vfXs7LM85Fi0mwoyVnI6TSEVhXAr9H6LSUeKSz3MWqqcp2aOQcWL8d5QzE7rrQAgis9Q=="
6. Create a destination context for authenticating the file copy:
   
   $destContext = New-AzureStorageContext –StorageAccountName $storageAccount -StorageAccountKey $storageKey
7. Create a target container in blob storage by using all lowercase character for the name. The following example uses a blob container that's named "crls":
   
   
   New-AzureStorageContainer -Name "crls" -Context $destContext
   
   Note Future copy attempts should call Get-AzureStorageContainer.
8. Copy the first CRL file from the published CRL location to the blob store:
   
   $blob0 = Start-AzureStorageBlobCopy -srcUri $srcUri0 -DestContainer $containerName -DestBlob "RootCA.crl" -DestContext $destContext
9. Script newly published CRLS to be uploaded from the original location to Azure Storage to be run as a scheduled task:
   
   $srcUri0 = "http://crl.contoso.com/crl/RootCA.crl"
   $srcUri1 = "http://crl.contoso.com/crl/RootCA+.crl"
   $srcUri2 = "http://crl.contoso.com/crl/SubordinateCA.crl"
   $srcUri3 = "http://crl.contoso.com/crl/SubordinateCA+.crl"
   
   ## Copy the first CRL:
   $storageAccount = "<store name>"
   $storageKey = "tcKqSqVr08rTXrc6v+vfXs7LM85Fi0mwoyVnI6TSEVhXAr9H6LSUeKSz3MWqqcp2aOQcWL8d5QzE7rrQAgis9Q=="
   $destContext = New-AzureStorageContext -StorageAccountName $storageAccount -StorageAccountKey $storageKey
   
   Get-AzureStorageContainer -Name "crls" -Context $destContext
   $blob0 = Start-AzureStorageBlobCopy -srcUri $srcUri0 -DestContainer $containerName -DestBlob "RootCA.crl" -DestContext $destContext
   
   ## Copy the second CRL:
   $storageAccount = "<store name>"
   $storageKey = "tcKqSqVr08rTXrc6v+vfXs7LM85Fi0mwoyVnI6TSEVhXAr9H6LSUeKSz3MWqqcp2aOQcWL8d5QzE7rrQAgis9Q=="
   $destContext = New-AzureStorageContext -StorageAccountName $storageAccount -StorageAccountKey $storageKey
   
   Get-AzureStorageContainer -Name "crls" -Context $destContext
   $blob1 = Start-AzureStorageBlobCopy -srcUri $srcUri1 -DestContainer $containerName -DestBlob "RootCA+.crl" -DestContext $destContext
   
   ## Copy the third CRL:
   $storageAccount = "<store name>"
   $storageKey = "tcKqSqVr08rTXrc6v+vfXs7LM85Fi0mwoyVnI6TSEVhXAr9H6LSUeKSz3MWqqcp2aOQcWL8d5QzE7rrQAgis9Q=="
   $destContext = New-AzureStorageContext -StorageAccountName $storageAccount -StorageAccountKey $storageKey
   
   Get-AzureStorageContainer -Name "crls" -Context $destContext
   $blob2 = Start-AzureStorageBlobCopy -srcUri $srcUri2 -DestContainer $containerName -DestBlob "SubordinateCA.crl" -DestContext $destContext
   
   ## Copy the fourth CRL:
   $storageAccount = "<store name>"
   $storageKey = "tcKqSqVr08rTXrc6v+vfXs7LM85Fi0mwoyVnI6TSEVhXAr9H6LSUeKSz3MWqqcp2aOQcWL8d5QzE7rrQAgis9Q=="
   $destContext = New-AzureStorageContext -StorageAccountName $storageAccount -StorageAccountKey $storageKey
   
   Get-AzureStorageContainer -Name "crls" -Context $destContext
   $blob3 = Start-AzureStorageBlobCopy -srcUri $srcUri3 -DestContainer $containerName -DestBlob "SubordinateCA+.crl" -DestContext $destContext
10. Create a scheduled task that will copy the CRLs to Azure Storage, and then verify that the task runs successfully.

Method 2

1. Download and install Microsoft Azure Storage Explorer to the server where the CRL files are located.
2. Add the Azure Storage Account information where the CRLs will be placed.
3. Expand the Storage Account container under the subscription where the CRLs will be placed.
4. Create a new container under Blobs.
   
   Note Blobs can be accessed by Anonymous users.
5. Publish new full CRLs from the root and intermediate CAs.
6. Copy the new CRLs to the new Blob container in Storage Explorer.
7. Select all of the CRLs in the container, and then click the Copy URL button.

Method 3

1. Copy the CRLs files to a computer where the AzureAD PowerShell module is installed.
2. Log in to https://portal.azure.com by using a Global Administrator account.
3. Open the Storage accounts  blade, and then select the storage account of your choice.
4. From the Overview blade, under Services, click Files to open the "File service" blade.
5. Click File share, type a name in the "New file share" blade, and then click Create.
6. In the "File service" blade, open the newly created share, and then click Upload.
7. Click the folder icon to open the file picker, and then search for the location in which the CRLs are located.
8. Select all of the CRLs, click Open, and then click Upload.

Modify the CrlDistributionPoint and DeltaCrlDistributionPoint attributes of the trusted certificate authority objects in Azure AD

Follow the steps in the "Modifying a certificate authority" section of Get started with certificate based authentication on iOS - Public Preview.

1. Run the following command to retrieve the certificate authorities:
   
   
   $c=Get-AzureADTrustedCertificateAuthority
2. Modify properties on each certificate authority
   
   Note If you have more than one certificate authority, make sure that you update the correct object by noting the order in which CAs appear in the array:
   
   PS C:\> $c[0]
   
   AuthorityType : RootAuthority
   CrlDistributionPoint : http://crl.contoso.com/crl/RootCA.crl
   DeltaCrlDistributionPoint : http://crl.contoso.com/crl/RootCA+.crl
   TrustedCertificate : {48, 130, 3, 151...}
   TrustedIssuer : CN=RootCA, DC=contoso, DC=com
   TrustedIssuerSki : A95817BBF25C7048236F246D2D431C873E9DA98A
   
   PS C:\> $c[1]
   
   AuthorityType : IntermediateAuthority
   CrlDistributionPoint : http://crl.contoso.com/crl/SubordinateCA.crl
   DeltaCrlDistributionPoint : http://crl.contoso.com/crl/SubordinateCA+.crl
   TrustedCertificate : {48, 130, 5, 187...}
   TrustedIssuer : CNSubordinateCA, DC=contoso, DC=info
   TrustedIssuerSki : 1CD56BA47378E54D6E9F1D464B3A3C41844BBEEF
3. Modify the CrlDistributionPoint and DeltaCrlDistributionPoint properties.
   
   Note These can be obtained by logging into https://portal.azure.com and then copying the CRL endpoints. 
   
   PS C:\> $c[0].CrlDistributionPoint="https://rgstorage.file.core.windows.net/crls/RootCA.crl"
   PS C:\> $c[0].DeltaCrlDistributionPoint="https://rgstorage.file.core.windows.net/crls/RootCA+.crl"
   PS C:\> $c[1].CrlDistributionPoint="https://rgstorage.file.core.windows.net/crls/SubordinateCA.crl"
   PS C:\> $c[1].DeltaCrlDistributionPoint=https://dergstorage.file.core.windows.net/crls/SubordinateCA+.crl
   
4. Apply the changes that were made to the $c object in memory to the objects in Azure AD:
   
   PS C:\> Set-AzureADTrustedCertificateAuthority -CertificateAuthorityInformation $c[0]
   
   Id CertificateAuthorities
   -- ----------------------
   29728ade-6ae4-4ee9-9103-412912537da5 {class CertificateAuthorityInformation {...
   
   
   PS C:\> Set-AzureADTrustedCertificateAuthority -CertificateAuthorityInformation $c[1]
   
   Id CertificateAuthorities
   -- ----------------------
   29728ade-6ae4-4ee9-9103-412912537da5 {class CertificateAuthorityInformation {...
5. Verify that the objects were updated correctly in Azure AD:
   
   PS C:\> $c2=Get-AzureADTrustedCertificateAuthority
   PS C:\> $c2
   
   
   AuthorityType : RootAuthority
   CrlDistributionPoint : https://rgstorage.file.core.windows.net/crls/RootCA.crl
   DeltaCrlDistributionPoint : https://rgstorage.file.core.windows.net/crls/RootCA+.crl
   TrustedCertificate : {48, 130, 3, 151...}
   TrustedIssuer : CN=RootCA, DC=contoso, DC=com
   TrustedIssuerSki : A95817BBF25C7048236F246D2D431C873E9DA98A
   
   AuthorityType : IntermediateAuthority
   CrlDistributionPoint : https://rgstorage.file.core.windows.net/crls/SubordinateCA.crl
   DeltaCrlDistributionPoint : https://rgstorage.file.core.windows.net/crls/SubordinateCA+.crl
   TrustedCertificate : {48, 130, 5, 187...}
   TrustedIssuer : CN=SubordinateCA, DC=contoso, DC=com
   TrustedIssuerSki : 1CD56BA47378E54D6E9F1D464B3A3C41844BBEEF