I want to apologize ahead of time. This is my first time posting a tread. I am having problems getting my pki to display status ok for all locations. Running Windows Enterprise and windows 7 professional on clients. My ldap:/// locations are ok but the CDP & DeltaCRL locations are status as Unable to download. Actual errors are listed as DeltaCRL Location #2 Unable to Download http:/scsihq-dc01.corp-hq.scsi-ga.com/CertEnroll//corp-hq-SCSIHQ-DC01-CA(1)+.crl DeltaCRL Location #3 Unable to Download file://SCSiHQ-DC01.corp-hq-ga.com/CertEnroll//corp-hq-SCSIHQ-DC01-CA(1)+.crl CDP Location #2 Unable to Download http:/scsihq-dc01.corp-hq.scsi-ga.com/CertEnroll//corp-hq-SCSIHQ-DC01-CA(1).crl CDP Location #3 Unable to Download file://SCSiHQ-DC01.corp-hq-ga.com/CertEnroll//corp-hq-SCSIHQ-DC01-CA(1).crl Things i have done: - Have set the vaule to true for double spacing in IIS7 and have restarted and no luck - I have renewed my CA Certificate and when i did i now have (2) CA. Certificate #0 (OLD) AND Certificate #1 (new) showing up under my CA properties but #1 is the one that is listed as my active CA on my server. - Have changed my extensions under CA Properties and still unable to get rid of errors. - Get an error when i try to past url in browser and go to site. I get message showing url address and physical address and they are different. DeltaCRL location #2 Requested URL http://scsihq-dc01.corp-hq.scsi-ga.com:80/CertEnroll/corp-hq-SCSIHQ-DC01-CA(1)+.crl Physical Path C:\inetpub\wwwroot\CertEnroll\corp-hq-SCSIHQ-DC01-CA(1)+.crl CDP Location #2 Requested URL http://scsihq-dc01.corp-hq.scsi-ga.com:80/CertEnroll/corp-hq-SCSIHQ-DC01-CA(1).crl Physical Path C:\inetpub\wwwroot\CertEnroll\corp-hq-SCSIHQ-DC01-CA(1).crl i have gone to these physical path and there is nothing in these locations. - have read the post on cdp location unableto download and numerous ones there aftere and still no luck. - Have even went back and re-installes online responder and pki step by step. as well as ad cs step by step and online responder trouble shooting. I have even went to the actual folder locations ato verify vdir and file locations. the third CDP and DeltaCRl location did not appear in my config until after i had renewed the CA. Which i am thinking that this is an over kill with my PKI and that all i really need is 2 locations. I would appreciate any anysite that you can offer me to help resolve these issues. I have a few more issues but well talke one at a time. Thank You

Setup your CDP Extension to publish to a file path as well...then your http lookup should succeed Ex..."C:\Windows\System32\CertSrv\CertEnroll\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl" As a side note, i would remove the CDP publishing to the " file://" paths...this is redundant and not required especially in an AD environment. LDAP and HTTP should be more than sufficient until you get to OCSP which will be the best solution going forward...

You have two issues: DeltaCRL Location #2 Unable to Download http:/scsihq-dc01.corp-hq.scsi-ga.com/CertEnroll//corp-hq-SCSIHQ-DC01-CA(1)+.crl CDP Location #2 Unable to Download http:/scsihq-dc01.corp-hq.scsi-ga.com/CertEnroll//corp-hq-SCSIHQ-DC01-CA(1).crl You have mis-spelled the URL. It is http:// not http:/ (you missed the second forward slash, and you have an extra slash before the CRL names (after CertEnroll)) DeltaCRL Location #3 Unable to Download file://SCSiHQ-DC01.corp-hq-ga.com/CertEnroll//corp-hq-SCSIHQ-DC01-CA(1)+.crl CDP Location #3 Unable to Download file://SCSiHQ-DC01.corp-hq-ga.com/CertEnroll//corp-hq-SCSIHQ-DC01-CA(1).crl File locations are not supported for CRL and Delta CRL download locations since KB323172. (pre-WIndows XP ship date) HTH, Brian

i have made the neccessary changes as you specified and i am still getting the same results. This setup was installed before me and was not properly configured. Would it be much easier tojust decommission this enterprise CA and just start from the beginning?? Again i thank you for all your help and support

When the CDP paths are working correctly, your browser will attempt to download a file when you use that url. I recommend that you use IE to verify that the CRL is downloadable. I typically use a different web site and/or machine when I publish the CDP because I might want to offload that onto another machine or make it accessible outside my environment. If you get to a point where just the deltas do not work, then check the double escaping feature of the website in IIS. HTH - fr3ddfr3dd

thank you ... will keep you posted _________ Lester

CDP path locatinos are working fine and are able to be downloaded Thanks again