I have a double objective here: 1) Properly configure the AIA and CDP extensions for an offline Root CA and 2) create a script with the same settings that you see in the GUI. The name of the CA is "CA-A". Domain name is mynet.int Do these settings seem to be appropriate? Here is what I have configured for AIA (as seen in the GUI, CA properties, Extensions tab) AIA AIA - C:\...(etc.). Nothing - options grayed out. AIA - LDAP Check "Include in the AIA extension of issued certificates" AIA - HTTP Nothing checked (for present scenario, certs would only be distributed via GPO/autoenrollement and I would not be using OCSP). AIA - File Nothing - do we still use the file option? CDP CDP - C:\... (etc.). Publish CRLs (and Delta CRLs) to this location. Other options grayed out. CDP - LDAP Not sure about this... Should I uncheck the "Publish..." options since the Root CA cannot publish to Active Directory? Seems to make sense, unless I'm missing something. Of course, I will copy appropriate files to the Sub CA and use certutil -addstore and certutil -dspublish to install Root CA cert and crl as needed. CDP - HTTP Nothing CDP - File Nothing ################################################# In the scripts, reflecting (I hope) the above configuration, we would have: AIA certutil setreg CA\CACertPublicationURLs "1:%WINDIR%\System32\CertSrv\CertEnroll\%1_%3%4.crt\n2:ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11" Local file system 1: -> Publish to local file system (use indicated path) %1 -> DNS name of computer "CA1.mynet.int" %3 -> CA logical name CA-A %4 -> name of cert file LDAP 2: -> Include LDAP URL in AIA of all issued certificates. %7 -> CA sanitized name -------- (what name?) %6 -> ConfigDN ----------- (CN=Configuration,DC=mynet,DC=int) %11 -> Simply designates object as a CA object in AD. CDP certutil setreg CA\CRLPublicationURLs "1:%WINDIR%\System32\CertSrv\CertEnroll\%3%8%9.crl\n10:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10" Local File System 1: Publish to local file system (use indicated path) %3 -> CA logical name CA-A %8 -> CRL Name Suffix - the CRL's renewal extension %9 -> Delta CRL allowed (If I add %9, that means they are allowed - and used?) LDAP %7 -> CA sanitized name ----------------- (???) %8 -> CRL Name Suffix - the CRL's renewal extension %2 -> Server short name (NetBIOS name) - CA-A %6 -> ConfigDN ----------- (CN=Configuration,DC=mynet,DC=int) %10 -> Designates object as a CDP in Active Directory Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

You are all go, the certutil command with the AIA and CDP URLs looks very correct for what you are describing /Hasain

You are all go, the certutil command with the AIA and CDP URLs looks very correct for what you are describing /Hasain

Thanks. Will give that a try shortly.Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.