I am building a 2 tier PKI with a standalone offline root and 2 enterprise Subordinate CAs. I forgot to include a CDP location when I requested the Subordinate CA cert. A number of certificates have been issued since. I added the missing CDP extension to the Offline Root and then renewed the Subordinate CAs certificate and now the new CDP location is shown in the new cert. I'm not sure where to go from here. When I issue a client certificate it appears to be using the old Subordinate CA cert to chain to the root rather than the new one with the CDP extension added.

You state that you added the CDP extension to the Offline Root but did you also add the appropriate CDP extension to the Subordinates CAs?

Yes, I have added them. Sorry for not mentioning that. :) The certificates that have been issued by the subordinate CAs contain the correct CDP locations.

Did you select the checkbox to "Include in the CDP extension of issued certificates"? Did you use the existing cert request for the Subordinate CAs or did you do a renew, generate a new request, and install the new cert?

Yes, the "Include in CDP extensions of issued certificates" has been checked. I renewed the Subordinate CA certs by right-clicking the root CA in the Certification Authority snap-in and choosing renew CA certificate and chose to generate a new key pair. I now see 2 new certs for the Subordinate CAs along with the 2 old ones(that are missing the CDP extension). Shown below are the new certs with ID 6 & 7. This is as far as I have gotten.

I am confused why the new subordinate certificates were issued using the CrossCA certificate. Looking at your list there were no new SubCA certificates issued though. If I'm not mistaken your Subordinate CAs would still be using the only SubCA certificates that have been issued to them which were your original certificates without CDP information. Any new certificates that you issued from the Subordinates would include CDP extension because you reconfigured the Subordinate CAs to include them.

That's correct, the Subordinate CA are still using the SubCA certificates. And the issued certs contain the CDP extensions. I need the CDP extensions in the SubCA certs though as they are to be used for a Juniper Remote Access device.

I am building a 2 tier PKI with a standalone offline root and 2 enterprise Subordinate CAs. I forgot to include a CDP location when I requested the Subordinate CA cert. A number of certificates have been issued since. I added the missing CDP extension to the Offline Root and then renewed the Subordinate CAs certificate and now the new CDP location is shown in the new cert. I'm not sure where to go from here. When I issue a client certificate it appears to be using the old Subordinate CA cert to chain to the root rather than the new one with the CDP extension added. My bet is that you renewed CA certificate with existing key pair. In that case you just need to remove wrong CA certificate from client stores.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

I am building a 2 tier PKI with a standalone offline root and 2 enterprise Subordinate CAs. I forgot to include a CDP location when I requested the Subordinate CA cert. A number of certificates have been issued since. I added the missing CDP extension to the Offline Root and then renewed the Subordinate CAs certificate and now the new CDP location is shown in the new cert. I'm not sure where to go from here. When I issue a client certificate it appears to be using the old Subordinate CA cert to chain to the root rather than the new one with the CDP extension added. My bet is that you renewed CA certificate with existing key pair. In that case you just need to remove wrong CA certificate from client stores.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki