I have a 2-tier CA hierarchy: offline root CA (2K3) and two online subordinate Enterprise CAs. (2K8 R2)I have published all CA certificates and CRLs to HTTP locations only.I have installed a Domain Controller Authentication certificate on a DC to test LDAPS connectivity.When attempting an LDAPS connection from an XP client using LDP, the connection fails and reports event ID36882 in the System log for a source of SChannel. I was expecting the certificate chaining engine to download each missing certificate in the chain, in this case the SubCA cert and the root cert, from the HTTP location specified in the AIA field of each certificate in the chain when validating the DCs Domain Controller Authentication certificate, but clearly this isn't happening. Do I have a totally ____-eyed view of what the certificate validation process will do?If I install all the CA certs in the certificate chain in the client, the connection works perfectlySG

Just a follow up to my original post...I found that if the root certificate was installed, authentication to the domain controller via LDAPS was successful, which prompts this question: are root certificates ever downloaded from the URL in the AIA?A bit more digging led me to the Certificate Revocation and Status Checking white paper (http://technet.microsoft.com/en-us/library/bb457027.aspx). In the section headed 'CRL and AIA caching', the following is stated:<snip> Certificates are cached when CryptoAPI retrieves them from a certificate store or a URL. The cache location varies depending on the source where a certificate or a CRL was retrieved. A certificate or a CRL can exist in one or several of the following locations. Memory All valid certificates and CRLs that have been touched by the chain-building engine since the last reboot are cached in memory. Certificate Store All certificates that are not treated as root CA certificates and that have been retrieved from an HTTP–, LDAP– or FILE–URL reference via the AIA certificate extension are cached in the certificate store if the certificates are found to be part of a valid chain by the CryptAPI. Root CA certificates are not automatically cached and must be added explicitly by the interactive user to the corresponding certificate store. </snip>The highlighted text seems to underline the fact that Root CA certs are not automatically downloaded during certificate validation, but intermediate CA certs are. Would this be a fair assumption?Steve G

every certificate is downloaded (as possible) using URLs from AIA extension. Highlighted text assume that intermediate CA certificates are cached in Intermediate CAs container. While root certificate is trsut anchor and if trusted, all certificates below root will be considered as valid. Therefore root certificates will never cached in Trusted Root CAs container and to trust particular trust anchor, you need to manually to install root certificate to Trusted Root CAs container.http://www.sysadmins.lv

Just to add (since I wrote the referenced white paper), there *never* is automatic trust of a root CA.It must be defined either:1 manually by the user2 Published into the Certification Authorities container in AD (through certutil -dspublish Rootcert.crt RootCA)3 Published through a GPO defining the certificate in the Trusted Root Certification Authorities4 Added through the commandline as an administrator certutil -addstore root Rootcert.crtIf AIA chasing is performed, the root certificate is downloaded, but not considered trusted, causing your issue.In your deployment, you need to perform either task 2 or task 3 in the list above.All domain members, running Windows 2000 or higher would then trust the root CA after application of Group PolicyBrian

Brian and Vadims,Many thanks for your clarifications. I have a follow-up question...Does the chasing of URLs in the AIA result in intermediate CA certificates becoming visible in the Certificates MMC snap-in under the Intermediate Certification Authorities container, or are the certificates just downloaded to the Crypto API cache and used for any subsequent validation? Or to put it another way, does AIA chasing populate intermediate certificates in Intermediate Certification Authorities container visible in the Certificates MMC, or are the intermediate certificates just pulled down into memory (or temporary disk storage - not sure how the Crypto API cache is represented) and are gone when the workstation is rebooted?I'm minded to think that the intermediate CA certificates are temporary after testing LDAPS connectivity to my domain controller using a stand-alone XP SP3 workstation that only had the root CA certificate installed. The connection is successful, but the intermediate CA certificate does not become visible in the Certificates MMC.Steve G

The certificates are cached. This does not equate to being visible in the Certificates MMCBrian