Hi, This site seems to either have almost all the unanswered questions I've had about AD CS for Windows Server 2008 R2. One thing I don't seem to be able to find on the Internet or this site is how to set up an IIS 7.5 Web server as one http URL for the AIA and CDP locations for the online issuing CA, which is a Windows Server 2008 R2 Enterprise Issuing CA. According to Enterprise PKI tool, the http reference for the Issuing CA itself is working fine, the OCSP location is working fine, but references to the Web server are showing as "Unable to download". I readily admit I don't know much about configuring IIS, but with assistance of co-workers we set up the Web server and created the CertData folder as instructed. But I have not seen hardly any information on the Internet about just how to set this up. In Chap. 10 of Brian's book, Windows Server 2008 PKI and Certificate Security, the section on Choosing Publication Protocols makes sense to use an HTTP location, but not much information seems to be present on how to set it up and configure it correctly. Chapter 19 about implementing SSL Encryption for Web servers doesn't seem to be related to this process, and I just don't seem to find references to how to go about setting up the Web server anywhere else in the book. Am I completely missing something here? What I'm mostly interested in is the steps to successfully setting up the http URL as stated above. If setting up a Web server is not really that essential beyond the issuing CA's http settings, then I could just not set up a separate Web server. Thanks for any help any of you can provide! In this lab scenario I've created, I've successfully configured an offline Root CA, Offline Policy CA (in the future we'll be doing business with other organizations), and Issuing CA. I've set up OCSP on another server and that is functioning just fine.

All that you have to do is: 1) Install the Web Server role 2) Create the virtual directories that you wish to use 3) Use some sort of copy protocol to copy the updated CRLs and the CRTs from the CAs to the new virtual directories. This can be done through scheduled tasks for issuing CAs and through manual copies for offline CAs. 4) Consider enabling directory browsing for the virtual directory (to allow opening the virtual directory itself in the browser, seeing all of the published CRLs and CA certs) 5) If using delta CRLs, you must enable double-escaping on the virtual directory. appcmd set config /section:requestfiltering /allowdoubleescaping:true Brian

You've probably long since gotten this figured out, but in my similar searching I found a more detailed guide to setting up a CDP web server on the SCCM blog. Check it out at http://blogs.technet.com/b/configmgrteam/archive/2009/05/01/how-to-publish-the-crl-on-a-separate-web-server.aspx