Hi All, I open Enterprise PKI console with my CA hierarchy I see that AIA and CDP location parametrs are not correct for some of CAs. How can I change this parametrs? I run certutil -setreg CA\CRLPublicationURLs "1:%%windir%%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n10:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public Key Services,CN=Services,%%6%%10\n2:http://www.dom.mydom.test/CertData/policyca_POLICYCA-CA.crt at one of this CA. After that I restart CA service at this server, refresh CA hierarchy at Enterprise PKI console and still see old parametrs. How can I change them? Does each CA keeps his settings at register localy or at AD?

I managed to set correct parameters to all CA, but when I open PKI Enterprise console there're old values in it. How can I renew them?

plasikman,certutil -setreg as the command-line suggests sets the registry values for AIA and CDP locations... what do you see when you go to the Certification Authority snap-in and look on the Extensions tab?Bear in mind that if you change these settings.. they won't apply to any certificates that have already been issued by that CA, particularly with respect to HTTP/LDAP URLs... for the %%windir%% settings this is purely for the local CA to publish the CRL/CRT files for the AIA/CDP.. Not wishing to demean their value but I personally find that the use ofvariables confuse the process (or maybe just me) andmanually enter the file system / ldap and http urlsI want to use through the extensions tab... having said that I don't use Delta CRL's (which isI suspect where the real valueof variables was intended) because of shortcomings with respect to caching on (XP) clients Regards,Mylo

Hi Mylo, Thanks for your responce! Do I get it right that you suggest avoid using vdriables, but enter direct ldap and http links? After I enter new links on Extension tab and renew certificates on all CA I can see changes at Enterprice PKI consoile?

Now I changed all links with certutil command and renewed all CA certificates. At one of CA I have different links at AIA http Location and CDP http location of crt file . How could this happen if I only set certificate link once, not for AIA and CDP separetely? Beside "CA Certificate" parametr I have now "<cert file name>(V1.1)" parametr for all CAs. What do I need them for? At root CA it has Error status! If I renew Root CA certificate do I have to renew all CA certificates or just pablish new root cert?

plastikman,that's because the CA you've configured gets its AIA/CDP settings during the configuration of the CA (via the Certificate Services snapin) and this information is embedded in the issued certificate to the CA. You can set your AIA/CDP settingsvia the CAPOLICY.INF and copy this file to the \WINDOWS folderbeforeconfiguration of Certificate Services on the subordinate.. this will ensure that the SubCAcertificate that is issuedhas the correct AIA/CDP settingsduring the CA configuration. Your Root CA is now flagging an error because the AIA/CDP for the issued subordinate certificate are set to your "old" incorrect settings. it can bea very confusing process. If you can I'd reinstall this CA (it sounds like you're not too far down the line in your configuration) and set the AIA/CDP correctly so they point to the correct distribution points during the subordinate setup. let me know if this is not the case.Regards,Mylo