Recently I discovered that the Certificate Authority CDP is creating the filename as "Server Name".crl, but under Enterprise PKI it will show the CDP status as "Unable to Download". That is because while the server http location is correct, the file name is "Server FQDN".crl. I went to the server's properties > Extensions and checked the CDP address. There I have "http://domain_name.com/CertEnroll/<CaName><DeltaCRLAllowed>.crl". I thought maybe I needed to publish new, so I deleted the existing files under "C:\Windows\System32\certsrv\CertEnroll" and restarted Certificate Authority, rebooted the server, and even tried CLI "certutil -crl". I should add one significant point and that is the Delta CRL is working, listed under Enterprise PKI correctly. Don't know at this point where to go next.

Could you provide the results from the following command when you run it on the CA server: certutil.exe getreg CA\CRLPublicationURLs /Hasain

Could you provide the results from the following command when you run it on the CA server: certutil.exe getreg CA\CRLPublicationURLs /Hasain

Hi, did you check the box making the ca delivering the cdp to local filesystem? Did you manually try to create a new crl using the mmc? Regards Thomas

Hi, did you check the box making the ca delivering the cdp to local filesystem? Did you manually try to create a new crl using the mmc? Regards Thomas

You setting above tells that the CA will automatically publish a CRL file based on the template %3%8%9.crl but the http url is referring a CRL file based on the template %3%9.crl. You need to either publish another CRL file based on the %3%9.crl template or change the http URL to refer the CRL using the %3%8%9.crl template! /Hasain

Could you provide the results from the following command when you run it on the CA server: certutil.exe getreg CA\CRLPublicationURLs /Hasain C:\Users\Administrator>certutil.exe -getreg CA\CRLPublicationURLs HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\mpls1 \CRLPublicationURLs: CRLPublicationURLs REG_MULTI_SZ = 0: 65:C:\Windows\system32\CertSrv\CertEnroll\%3%8%9.crl CSURL_SERVERPUBLISH -- 1 CSURL_SERVERPUBLISHDELTA -- 40 (64) 1: 79:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10 CSURL_SERVERPUBLISH -- 1 CSURL_ADDTOCERTCDP -- 2 CSURL_ADDTOFRESHESTCRL -- 4 CSURL_ADDTOCRLCDP -- 8 CSURL_SERVERPUBLISHDELTA -- 40 (64) 2: 6:http://mpls1.DOMAINNAME.com/CertEnroll/%3%9.crl CSURL_ADDTOCERTCDP -- 2 CSURL_ADDTOFRESHESTCRL -- 4 CertUtil: -getreg command completed successfully. C:\Users\Administrator> Here is the problem, here it lists "%3%9.crl" as the cert name. Under the Enterprise PKI and what is given in any issued certificate is "mpls1.DOMAINNAME.com.crl", yet the delta is named "mpls1+.crl".

Could you provide the results from the following command when you run it on the CA server: certutil.exe getreg CA\CRLPublicationURLs /Hasain C:\Users\Administrator>certutil.exe -getreg CA\CRLPublicationURLs HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\mpls1 \CRLPublicationURLs: CRLPublicationURLs REG_MULTI_SZ = 0: 65:C:\Windows\system32\CertSrv\CertEnroll\%3%8%9.crl CSURL_SERVERPUBLISH -- 1 CSURL_SERVERPUBLISHDELTA -- 40 (64) 1: 79:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10 CSURL_SERVERPUBLISH -- 1 CSURL_ADDTOCERTCDP -- 2 CSURL_ADDTOFRESHESTCRL -- 4 CSURL_ADDTOCRLCDP -- 8 CSURL_SERVERPUBLISHDELTA -- 40 (64) 2: 6:http://mpls1.DOMAINNAME.com/CertEnroll/%3%9.crl CSURL_ADDTOCERTCDP -- 2 CSURL_ADDTOFRESHESTCRL -- 4 CertUtil: -getreg command completed successfully. C:\Users\Administrator> Here is the problem, here it lists "%3%9.crl" as the cert name. Under the Enterprise PKI and what is given in any issued certificate is "mpls1.DOMAINNAME.com.crl", yet the delta is named "mpls1+.crl".

You setting above tells that the CA will automatically publish a CRL file based on the template %3%8%9.crl but the http url is referring a CRL file based on the template %3%9.crl. You need to either publish another CRL file based on the %3%9.crl template or change the http URL to refer the CRL using the %3%8%9.crl template! /Hasain

First after whatever frantic changes I have made recently, the CRLs are being published in with the correct URL+filename. So certificates issued have a CRL that can be seen (same for AIA). However what is annoying is that under Enterprise PKI it still lists them as unable to download, and of course that is because the CRL created are SERVERNAME.crl and SERVERNAME+.crl and the URL listed there still shows to be looking for DNSNAME_SERVERNAME.crl. Right now I am somewhat less concerned as long as certificates being used can see and check the actual CRL. It is still just a concern why there is this discrepancy. One question I have. I am not familiar with what the %3, %8, %9 corresponds to or means. What is the correct syntax/line I should use to create a CRL with just server name "mpls1" at the URL mpls1.domain.com?

First after whatever frantic changes I have made recently, the CRLs are being published in with the correct URL+filename. So certificates issued have a CRL that can be seen (same for AIA). However what is annoying is that under Enterprise PKI it still lists them as unable to download, and of course that is because the CRL created are SERVERNAME.crl and SERVERNAME+.crl and the URL listed there still shows to be looking for DNSNAME_SERVERNAME.crl. Right now I am somewhat less concerned as long as certificates being used can see and check the actual CRL. It is still just a concern why there is this discrepancy. One question I have. I am not familiar with what the %3, %8, %9 corresponds to or means. What is the correct syntax/line I should use to create a CRL with just server name "mpls1" at the URL mpls1.domain.com?

For a complete list of the vairables available and their meanings, please check the "Configure the CA" section in this Technet article http://technet.microsoft.com/en-us/library/hh831574.aspx /Hasain

For a complete list of the vairables available and their meanings, please check the "Configure the CA" section in this Technet article http://technet.microsoft.com/en-us/library/hh831574.aspx /Hasain