I've just finished installing the second of two CAs: the first was the offline root CA and this one, the second, is an issuing CA. I'm looking at the AIA and CDP extensions. I'm trying to determine if I need to change anything at this level with a post-intall script. In my current scenario, I want certificates and CRLs available for consultation in Active Directory (LDAP) and on an IIS server (HTTP) which is one and the same as the issuing CA server. If current settings are acceptable, why would I modify anything with a post-install script? Here are current extension settings for AIA: - C:\Windows\System32\Certsrv\CertEnroll ----> Nothing configured, all options grayed out. - LDAP ----> Include in the AIA extension of issued certificates (OCSP option grayed out - not using this). - HTTP ----> Include in the AIA extension of issued certificates (OCSP option grayed out - not using this). - File ----> Nothing checked, OCSP option grayed out. Here are current extension settings for CDP: - C:\Windows\System32\Certsrv\CertEnroll ----> Publish CRLs to this location, Publish Delta CRLs to this location (all other options grayed out). - LDAP ----> All options checked EXCEPT the last (Include in the IDP extensions of issued CRLs). - HTTP ---> Include in CRLs. Clients use this to find Delta CRL locations, Include in the CDP extension of issued certificates (all other options grayed out or unchecked). - File ----> Nothing checked, OCSP option grayed out. * Are these options correct? I'm wondering about the CDP-HTTP options. It looks like the location will be published in CRLs and CDP extensions of issued certs but CRLs and Delta CRLs will not be published to this location (grayed out and unchecked). Does that look right?Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

It seems you are going to use default URLs for CDP and AIA extensions. They are just fine for forest members. Workgroup members may not be able to access them.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki