I'll try to keep this brief; Last year i set-up a 2 tier pki mostly from brian komar's book (thanks), an offline Root CA (non-domain joined) and an issuing CA (domain joined). The setup has been fine for the last year and I never got the time to setup a monitoring or look at the issue with the CRL and AIA files. Now 1 year later the issuing CA after going past the 1 year renewal for CRL plus the 30 day overlap and now the server will not start the ADCS - it gives EventID 48 and then EventID 100; The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 I did a certutil -verify -urlfetch on the cert and got this; Failed "AIA" Time 0 Error retrieving URL: The request is not supported. 0x80070032 (WIN32: 50) File://RootCAServer/CertEnroll/RootCAServer_Root.crt Failed CDP Time: 0 Error retrieving URL: the request is not supported 0x80070032 (WIN32: 50) File://RootCAServer/CertEnroll/Root.crl Because it is a Root CA I only allowed file access, so there is no LDAP or HTTP access to the AIA or CRL. I turned on the RootCAServer and I can navigate to \\RootCAServer\CertEnroll directory in Explorer Based on Microsoft technet article; http://technet.microsoft.com/en-us/library/cc774550(v=ws.10).aspx The issue seems that the issuing CA cannot reach the AIA or CRL files. After some more poking around I came across another article; http://support.microsoft.com/kb/946401 this deals with the issue that newer OS dont have the file protocol turned on. The Root and Issuing CA are both 2008R2 servers. I inserted that registry key and restarted the server and ADCS still doesnt start but now after running the verify urlfetch I got a similar error; Failed "AIA" Time 0 Error retrieving URL: The request is not supported. 0x80070003 (WIN32: 3) File://RootCAServer/CertEnroll/RootCAServer_Root.crt Failed CDP Time: 0 Error retrieving URL: the request is not supported 0x80070003 (WIN32: 3) File://RootCAServer/CertEnroll/Root.crl So at this point Im hoping someone can help me with what to do at this point, if anyone has recommendations I can probably re-issue the cert if need to add another publishing point or modify it but Im curious why the URL is in the format URL=file://RootCAServer/CertEnroll/Root.crl in the CRL distribution point instead of something like URL=file://\\RootCAServer\CertEnroll\Root.crl Thanks in advance

The only reason that your PKI worked initially, was that you manually injected the root CA CRL into the cache of your issuing CA certutil -addstore root Root.crl For now, you can publish a new CRL at the root CA, and repeat this process. BUt in the long term, you need to properly configure and run a post-installation script for the root CA where you publish the root CA certificate and CRL to an *online* Web service and reference this Web service in the CDP and AIA extension of the certificates issued by the root CA. I recommend you re-work your way through the installation chapter. Brian

The only reason that your PKI worked initially, was that you manually injected the root CA CRL into the cache of your issuing CA certutil -addstore root Root.crl For now, you can publish a new CRL at the root CA, and repeat this process. BUt in the long term, you need to properly configure and run a post-installation script for the root CA where you publish the root CA certificate and CRL to an *online* Web service and reference this Web service in the CDP and AIA extension of the certificates issued by the root CA. I recommend you re-work your way through the installation chapter. Brian

Thanks yet again Brian! that did the trick My setup is fairly simple so that i only have one certificate to worry about at this point, and i will need to republish next time. So i will be re-reading your installation chapters, but perhaps you could explain why the file method was not working? is the registry entry necessary for 2008 & up servers to activate file access (in which case it would seem that http is the only viable method for an offline ca?) and also which is the proper method for the URL format? URL=file://RootCAServer/CertEnroll/Root.crl or URL=file://\\RootCAServer\CertEnroll\Root.crl thanks

Sorry to jump in, I'm sure Brian will say the same but the file:// location is no longer supported - which is exactly the error it's giving you when you try to use it. Restrict yourself to using the local location, the LDAP location (where you published your certificate) and a web location like: These locations are inserted in to certificates issued by the Root CA because of the check in the "Include in the AIA extension of issued certificates" box.

I agree with everything but using LDAP. LDAP is not recommended due to replication, connectivity issues by non-domain joined machines (and Unix, devices, etc.) HTTP should be before LDAP if you still decide to use LDAP Brian

So really CDP and AIA should only be published to the local C drive and then Http for a root CA? I was under the impression that a file DP was the preferred method for a Root CA? or that was prior to 2008?

That was never preferred... ever..... Support for File was pulled back with Windows Server 2003 when the chaining engine was ported to Windows 2000 to support Delta CRLs A long long time ago Brian