Hi, I have some questions regarding the Root CA renewal process. As far as I know it is recommended to configure no CDPs for Root CA certificates because clients usually do not check that and on a Windows CA there is no possibility to revoke a root CA certificate. So I added the following lines to the Root CA's CAPolicy.inf: [CRLDistributionPoint] Empty=true [AuthorityInformationAccess] Empty=true Consequently my initial Root CA certificate did not have any CDP or AIA. After installation of the Root CA I configured some CDPs and AIA because I wanted these to appear in the Issuing CA’s certificate. Now I renewed the Root CA certificate using a new key pair. The newly generated Root CA certificate included the CDPs from my current Root CA configuration. Additionally the Root CA generated 2 cross CA certificates. 1. Does it make sense to have the CDPs included in the Root CA certificate although there is no chance to revoke the Root CA certificate? Is there a way to avoid that? 2. How exactly does the cross certification work? Do I need to publish these cross certification certificates to the AIA distribution points or are these only needed by the Root CA? 3. The LDAP AIA of the new Root CA certificate (included in a renewed Issuing CA certificate) is exactly the same path as for the initial Root CA certificate. ldap:///CN=Customer-Root-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=customer,DC=org?cACertificate?base?objectClass=certificationAuthority Both certificates the initial and the new can be verified. "Certutil -URL" lists the old and the new certificate. The first with status "Wrong Issuer" the second with status "Verified". MS documentation says "...AIA URL that points to a multivalued object and distinguishes certificates in the same object by the search suffix..." ( http://technet.microsoft.com/en-us/library/cc780454(WS.10).aspx) Can someone please explain how exactly this works? Does it check all the values of the multivalued object? I cannot see a different suffix. Thanks, Frank

Does this solve your problem? http://support.microsoft.com/kb/927169