My issuing CA is offline and will not come online. The root CRL published to the Issuing CA has already expired (couple days later). It was apparently too difficult for me to configure this correctly. This is essentially what I am facing: http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/99680c1c-a0f2-41f3-8bbd-3c721db4d5d8 I thought at very least I could publish a new CRL on the Root CA and then move it to the Issuing CA as I did initially. Afterwards, I would figure out how to extend the Root CRL duration to something longer - several months or so. No luck in my case: "The specified server cannot perform the requested operation. 0x8007003a (WIN32: 58)" Same problem whether I attempt to publish Full or Delta CRL. How can I publish a new Root CRL manually, despite the error above?Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

OK - resolved for the time being (until I extend the CRL duration). On the Root CA, I had to uncheck the "Publish CRLs to this location" and "Publish Delta CRLs to this location" for LDAP, since the stand-alone (offline) Root CA cannot publish anything to Active Directory. Then, as I had planned, I moved (well, copied) the CRLs to the Issuing CD manually and imported them into Active Directory with the certutil -dspublish command. Now the Issuing CA can start again. Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.