Hi I've just implemented a 2008 R2 two tier PKI for testing. I opted for a single HTTP URL for AIA & CDP in issued certificates. I used standard parctice to build online enterprise ca's & configured with post installation script. AIA & CDP config as follows: certutil -setreg CA\CRLPublicationURLs "65:%windir%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n6:http://mycompany/CRL/%%3%%8%%9.crl" certutil -setreg CA\CACertPublicationURLs "1:%windir%\system32\CertSrv\CertEnroll\%%3%%4.crt\n2:http://mycompany/AIA/%%3%%4.crt" Scheduled script copies the actual files to the web server when new CRL published. So far so good... When I use Enterprise PKI View to manage AD containers I notice the CDP Container contains base & delta CRL's for the issuing CA's. Closer examination shows these are first base & delta CRL's issued by the CA's. They are expired / expiring & I have a couple of questions for clarification: 1. I think these exist because the CA published them by default when the service was started for the first time, but before the post installation script modified the locations. Subsequent publication doesn't use this location so they're never updated. Is this correct? 2. I'm now concerned that I should be publishing to the LDAP location even if it's not included in the issued certificates. Other than to keep PKI View happy is there a technical reason to do so? ThanksDouks

1. True, this is just the way you are describing it. 2. No, you never need to publish the CRL to LDAP if it is not actively used as a CDP in your issued certificates. The PKI View is going to be happy without it simply because it enumerates the current config of your CA and only list/verifies the CDP URLs included in that. /Hasain

Thanks Hasain That's what I thought - just needed confirmation for peace of mind. I'll go ahead & delete the CRL's that have been published to AD. For the AIA AD container I assume the enterprise CA certs are populated for the same reason (and can be deleted), but I've just noticed the offline root ca cert is in there too & I'm not sure why. The standard certutil -dspublish -f blabla.crt RootCA which was run prior to keying the online CA's I think should just have populated the DS trusted root store, so I can only assume that the online CA's must have also populated the Root Cert when they published their own certs???... Please could you confirm, Thanks. Douks

The AIA container is not only used to reflect the AIA extension found in the certificates. It actually serves as a store where to find the intermediate/sub CAs. Based on that you should not delete the objects in the AIA container unless the CA is not trusted anymore! /Hasain

Thanks again.Douks