Hi, We have a Windows 2008 R2 enterprise issuing CA. The CA is configured to publish only base CRL, this works fine and pkiview reports status as OK for Base CRL However, pkiview report status for DeltaCRL Location #1 HTTP & #2 AD as: "unable to download" Since the CA doesnt publish delta CRL, I wonder why pkiview is trying to verify something that's not in use? I've verified that only base CRL is published to the local file system (c:\windows\system32\certsrv\certenroll) when doing a certutil -crl When using CA admin tool, properties on CA, the extension tab, selecting extension "CRL distribution Point" "Publish Delta CRLs to this location" is not selected on any of the 3 CDP points. Regards, Daniel www.twitter.com/danielullmark

I think it is because you didn't deselected a "Include in CRLs. Clients use this to find Delta CRL locations" entry in Extensions tab (where you are configured CDP extension) for HTTP links My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Revoke the CA-exchange certificate and restart the Cert-service. The values in PKI-view is read from the current CA-exchage certificate.. My guess is that you hade DeltaCRL enabled when the CA was installed instead of changing the standard CDP with CaPolicy.inf.

Revoke the CA-exchange certificate and restart the Cert-service. The values in PKI-view is read from the current CA-exchage certificate.. My guess is that you hade DeltaCRL enabled when the CA was installed instead of changing the standard CDP with CaPolicy.inf. you are incorrect. At first, PKIView uses CA Exchange certificate only to locate OCSP URLs (CDP/AIA URLs are retrieved directly from CA server). At second, Delta CRL URLs are not included in any certificates, they are defined in CRLs only.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Revoke the CA-exchange certificate and restart the Cert-service. The values in PKI-view is read from the current CA-exchage certificate.. My guess is that you hade DeltaCRL enabled when the CA was installed instead of changing the standard CDP with CaPolicy.inf. you are incorrect. At first, PKIView uses CA Exchange certificate only to locate OCSP URLs (CDP/AIA URLs are retrieved directly from CA server). At second, Delta CRL URLs are not included in any certificates, they are defined in CRLs only. My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki Vadim, youre absolutly right about the DeltaCrl URL. They are certainly not included in any certificates what so ever. (I didnt read the inital post good enough and "blocked out Delta for some reason) But are you absolutly 100% sure that PKIview just read the OCSP URL from the CA-exchange cert? And in that case: how come that it just fetches the OSCP URL from the cert and AIA/CDP from the CA-server? Im quite sure that Ive come across CDP errors in PKIview that were corrected when I got a new CA-exchange cert..

> But are you absolutly 100% sure that PKIview just read the OCSP URL from the CA-exchange cert? yes. PKIView used CA Exchange certificate for all URL (including AIA and CDP) information in Windows Server 2003. Since Windows Server 2008, the behavior was changed. Speaking in low details, a new properties were added in ICertAdmin/ICertRequest COM interfaces (GetCAProperty method): http://msdn.microsoft.com/en-us/library/aa383238(VS.85).aspx Look for CR_PROP_CERTAIAURLS and CR_PROP_CERTCDPURLS PropIds. They were introduced in Windows Server 2008. Alll possible properties are defined in MS-WCCE (the protocol used for all communications with CA service) 3.2.1.4.3.2: http://msdn.microsoft.com/en-us/library/cc249749(PROT.13).aspx. However not all operating systems support all of them. Here is a little example: PS C:\> $CertAdmin = New-Object -ComObject CertificateAuthority.Admin PS C:\> $CertAdmin.GetCAProperty("dc2\contoso-dc2-ca",0x29,0,4,0) http://www.contoso.com/pki/contoso-DC2-CA.crl PS C:\> $CertAdmin.GetCAProperty("dc2\contoso-dc2-ca",0x2a,0,4,0) http://www.contoso.com/pki/dc2ica.crt PS C:\> $CertAdmin.GetCAProperty("dc2\contoso-dc2-ca",0x2b,0,4,0) http://ocsp.contoso.com/ http://dc2.contoso.com/ocsp PS C:\> Even though there is CR_PROP_CERTAIAOCSPRLS (as in the last method call) it is almost impossible to differentiate AIA and OCSP URLs, therefore PKIView still uses CA Exchange to extract exact URLs. When you are dealing with certificates, it is possible to extract exact URL type as described here: http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?ID=62 If you have both Windows Server 2003 and Windows Server 2008-based CAs you can perform a little test: 1) run PKIView.msc on both CAs; 2) On a Windows Server 2008 CA add CDP URL (any fake URL) and restart certificate services; 3) Refresh CA-related node in both PKIView consoles. You will notice that PKIView on Windows Server 2008 immediately (after simple refresh) displays new URL (with error, but it doesn't matters). But PKIView on Windows Server 2003 will not display new URLs until you revoke and re-issue new CA Exchange certificate. HTHMy weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

This thread contains lots of good info, thank you Vadims and Scones. Vadim, you write "I think it is because you didn't deselected a "Include in CRLs. Clients use this to find Delta CRL locations" entry in Extensions tab (where you are configured CDP extension) for HTTP links" What about certificates already issued, do they need to be reissued becuse they contain a reference to a non existing delta CRL? The answer to my question is most likely no, but a 2nd opionin is much appreciated. Best regards, Daniel www.twitter.com/danielullmark

No, there is no need. As said in my first post here, Delta CRL locations are defined in CRLs only. Therefore it is enough to edit CDP extension and issue new CRL. New CRL will not contains any Delta CRL locations.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki