I have deployed a two tier CA on Windows 2008 R2 Enterprise:
Offline Root to Subordinate Issuing CA. Copied the Root Cert and CRL files. IIS is running on the subCA server and has Directory Browsing enabled and enabled double-escaping. Published root cert and crl to AD
Here are my CRL publishing URLs:
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\uname2>certutil -getreg ca\crlpublicationurls
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\CA01\CRLPublicationURLs:
CRLPublicationURLs REG_MULTI_SZ =
0: 65:C:\Windows\system32\CertSrv\CertEnroll\%%3%%8%%9.crl
CSURL_SERVERPUBLISH -- 1
CSURL_SERVERPUBLISHDELTA -- 40 (64)
1: 6:http://crl1.contoso.org/CertEnroll/%%3%%8%%9.crl
CSURL_ADDTOCERTCDP -- 2
CSURL_ADDTOFRESHESTCRL -- 4
CertUtil: -getreg command completed successfully.
PKIView says shows an error the the CDP Location #1 Unable to download. I can browse to the http address and see the crl files. Not sure where to go with this. I have tried shared access to the crl folder (C:\Windows\System32\CertSrv\Certenroll)
And advice is helpful