I was doing alright and then I came across this mad naming scheme which appeared when renewing my Root CA with a new key pair. I found an explanation on the specific naming here:- http://technet.microsoft.com/fr-fr/library/cc778802(WS.10).aspx I've found discussion on what the Cross Certificates generated when performing renewals with new key pairs are, as here:- http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/78146c8e-9557-4b3e-bd91-ff04bfa642cc but what am I to do with the Cross Certificates? In my 2 tier AD CS PKI, do I need to use certutil and use the -dspublish switch to push those certs into AD? Do I need those cross certs in the HTTP publish location also? Now I have a grasp on what these files with new suffixes are, what should I be doing with them? A little confused again. Sorry everyone! :( Regards Paul.

It depends on whether you have an offline root CA (workgroup-based, standalone root CA), or an online root CA (enterprise CA, or domain-joined standalone CA). If the CA s online (as defined above), the CrossCA certificates are automatically published. If offline, then run the following commands Certutil -dspublish -f Root(0-1).crt CrossCA Certutil -dspublish -f Root(1-0).crt CrosscA Certutil -dspublish -f Root(1).crt RootCA Brian

Madness! Brian, do you ever leave these forums alone? ;) I've read both of your 2003 and 2008 MS Press books to the point where my ability to follow without practical experience shallowed, but I obviously did not read them well enough with all these questions I keep finding. Though there's a mention of the CrossCA certutil option in Chapter 16, but I can't find it anywhere else in the 2008 book. Hmm. Anyways, thanks for the reply, I'll go away and test until I get stuck again! Regards Paul.

I agree that Brian is a real asset to this forum.;-) I wonder if I could ask my own question relating to automatic root ca cross certificate generation... I was given some advice to disable auto root CA cross cert functionality as it was only for "legacy purposes" and given the following command to run: certutil -setreg ca\CRLFlags +CRLF_DISABLE_ROOT_CROSS_CERTS With this set, a root CA cert renewal (with new keys) didn't create all the (0-1) and (1-0) business which seemed clean, however, I'm not sure I fully understand the consequences of not having these extra certificates. Can anyone advise. Thanks, Brian (not the clever one)

Sounds like a question I might have in a few days! Yes, I'd be interested to hear any advice on this too. Regards Paul.