I thought I had this setup right but there is definitley something wrong. I have a public URL added to my Cert Servers extensions but it doesn't show up in the Certificates that are being published. This is causing the certs to look invalid because they can't find the CRL. On the CA properties I have two HTTP extensions for the CDP. One is the default and the other is a publicly accessible name. Manually I can get to the CRL files. I'm messing with setting up SMIME and noticed the cert doesn't show the external site. Just the internal one. I had just created these templates. I don't see anything specific on the template where I'd have to tell it to use the additional HTTP external URL. Can anyone tell me what I'm missing?David Jenkins

Okay I think I may already have figured it out. The check boxes for "Include in CRLs.Clients use this to find Delta CRL locations" and "Include in the CDP extension of issued certificates" was not checked.David Jenkins

Okay I think I may already have figured it out. The check boxes for "Include in CRLs.Clients use this to find Delta CRL locations" and "Include in the CDP extension of issued certificates" was not checked.David Jenkins

Well it's there under CRL Distribution Points but still not working. It shows: Warning: The Certificate Revocation List needed to verify the signing certificate is either unavailable or it has expired. Signed by "email address here" using RSA/SHA1 at 2:21:47 PM 5/31/2012.David Jenkins

So there is CDP and AIA. AIA is not configured. Does that need to be?David Jenkins

I have two http addresses, could that be the issue?David Jenkins

Hi, please try to refer the following link to troubleshoot the issue: Troubleshooting Certificate Status and Revocation http://technet.microsoft.com/en-us/library/cc700843.aspx#XSLTsection125121120120 Hope this helps! Best Regards Elytis ChengElytis Cheng TechNet Community Support

It doesn't help. I can't find anything specific in the article that tells me what I've done wrong.David Jenkins