I installed a Subordinate CA on a new server, which I want to use as the CRL distribution point. How do I change the CDP to the new server? I have seen references to capolicy.inf but I don't have this file. Robert porter@paladinvest.comRobert Porter

Not sure what you are asking. 1) To change the CDP in the certificate of the Subordinate CA, you must modify the CDP and AIA for issued certificates at the root CA. This is done by using certutil. (using subca.example.com as your subordinate CA DNS name). ::Modify the CDP Extension URLs certutil -setreg CA\CRLPublicationURLs "1:%WINDIR%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n2:http://subca.example.com/pki/%%3%%8%%9.crl" ::Modify the AIA Extension URLs certutil -setreg CA\CACertPublicationURLs "1:%WINDIR%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:httpsubca.example.com/pki/%%1_%%3%%4.crt" 2) Once you have issued the subordinate CA certificate, you will need to use certutil.exe to configure the CDP and AIA extensions for certificates issued by the subordinate CA. ::Modify the CDP Extension URLs certutil -setreg CA\CRLPublicationURLs "1:%WINDIR%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n2:http://subca.example.com/pki/%%3%%8%%9.crl" ::Modify the AIA Extension URLs certutil -setreg CA\CACertPublicationURLs "1:%WINDIR%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:httpsubca.example.com/pki/%%1_%%3%%4.crt" Note that these are simplified examples. The URLs will change if you wish to use Active Directory as well for revocation checking and chain building HTH Brian

I get the general idea but a few of the details are confusing. Can you provide a document reference. My root CA is a Win2K3 and my subCA is on a Win2K8 R2 machine. Thanks RobertRobert Porter

I made the changes but get the following error on restarting the certificate service "The revocation function was unable to check revocation because the revocation server was offline." Any help? RobertRobert Porter

Did you copy the CRL files to the referenced Web site? For the root CA, you need to use sneakernet. For the issuing CA, you must create a scheduled task that copies the files to the issuing CA everytime that they are created. For references, here is one: http://www.microsoft.com/MSPress/books/9549.aspx Another is the 2003 best practices white paper: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx Brian