Why enable "Directory Browsing" on the CertEnroll IIS virtual directory in an Active Directory Certificate Services (ADCS) PKI environment?

Question

I'm building a two-tier PKI and I'm at a step I don't understand. Most guides dictate the enablement of Directory Browsing on the CertEnroll IIS virtual directory.

Why would directory browsing need to be enabled? I can't imagine any scenario where a person would have to actually browse this directory or to manually pull a CRL or CA cert that resides in it.

Am I missing something?

Answer 1

Hi Matthew McDonald,

Enabling Directory Browsing on the CertEnroll IIS virtual directory in an ADCS PKI environment allows users to access the Certificate Revocation List (CRL) and the Certificate Authority (CA) certificate through a web browser. This is useful in scenarios where users need to manually download the CRL or CA certificate, such as when troubleshooting certificate validation issues or when configuring non-Microsoft devices to trust the CA.

Enabling Directory Browsing does not pose a security risk as long as the CertEnroll virtual directory is properly secured with appropriate permissions and access controls. It is recommended to disable Directory Browsing after the necessary certificates have been downloaded to prevent unauthorized access to the directory.

Best regards,

Qiuyang

Answer 2

Thanks for the reply, however I have a couple of follow up questions...

1. Manually downloading a CRL is a new idea to me (the CA cert I get). Can you provide an example of where manually downloading that file would be needed and how it would be used? Curiosity is killing me.
2. You say Directory Browsing does not pose a security risk, but then immediately say it's recommended to disable it to prevent unauthorized access. This is conflicting information, is it not?

Answer 3

Hi Matthew McDonald,

Enabling Directory Browsing on the CertEnroll IIS virtual directory is recommended because it allows users to manually download the CRL and CA certificate files. This can be useful in situations where the automatic download of these files fails or is not possible due to network connectivity issues. For example, if a client is unable to access the internet to download the CRL, they can manually download it from the CertEnroll virtual directory.

Regarding your second question, I apologize for any confusion. Enabling Directory Browsing itself does not pose a security risk, but leaving it enabled can potentially allow unauthorized access to the files in the directory. Therefore, it is recommended to disable Directory Browsing after manually downloading the necessary files to prevent unauthorized access.

Best regards,

Qiuyang

Answer 4

Apologies if I keep asking stupid questions, but you again conflicted, so I'm not sure what to think.

You first say: "Enabling Directory Browsing on the CertEnroll IIS virtual directory is recommended" but then say "Therefore, it is recommended to disable Directory Browsing".

Answer 5

Hi Matthew McDonald,

I apologize for the confusion. Enabling Directory Browsing on the CertEnroll IIS virtual directory is not recommended as it can potentially expose sensitive information to unauthorized users. It is recommended to disable Directory Browsing to prevent this from happening.

Regarding your question about why Directory Browsing would need to be enabled, it is not necessary for normal PKI operations. However, in some cases, it may be useful for troubleshooting purposes or for manually retrieving CRLs or CA certificates. But as mentioned earlier, it is not recommended to enable it for security reasons.

Best regards,

Qiuyang