Hi, I want to use AD Certification Services to support ADFS in my infrastructure and configured ADCS following the guide found here: http://technet.microsoft.com/en-us/library/cc772393%28WS.10%29.aspx I'm new to the process and have a few questions: After successfully configured CA and online responder, I got some PKI errors stating that some AIA and CDP locations were not successfully downloaded. Even though Best Practise analyser was happy, I didn't like these errors so I went ahead and removed all of the extensions and added only the OCSP extension that I added in the guide and checked it to show as an AIA. I now only have an 2 successful locations at http://myserver/ocsp which also shows up as a AIA (after checking the check box). So my first question is: Have I gone a little too in the removing of these extensions? I seem to have no LDAP extension and it might have been unnecessary in removing them all. If I need an LDAP location, how do I build the path to the certificate location in AD? My second question relates to a mistake I made shortly afterwards. I revoked a certificate by accident and cannot seem to find a way to get it back. What is the process of reissuing a revoked certificate? My last question is that I need to somehow test my setup. Even though I have no more errors, I don't think that I set everything up correctly as I am really new to this. Is there an easy to use tool out there that can help me? Any help would be greatly appreciated Regards Michael

1) it is not correct. OCSP is based on CRLs and is handled by Vista+ clients. You still have to maintain CRLs for legacy clients. If you are not experienced in PKI I would advice to leave default CDP/AIA extension settings. 2) once certificate is revoked (except with Certificate Hold reason) it is not possible to unrevoke it. While Certificate Hold reason allows you to unrevoke certificate it is not recommended to use this reason in productional environment. 3) consider to use PKIView.msc MMC snap-in.http://en-us.sysadmins.lv

Thanks Vadims, I've solved my PKI issues and it was due to a faulty online responder. Once I've solved that and made sure that I set the permissions correctly on the securtiy settings to enable the user account to have 'read', enroll and autoenroll permissions. Note that there is a slight difference between the downloadable version of the article found above and the web version. The downloadable does not mention 'Enroll' permissions but only Read and Autoenroll. Appreciated the advice Mike