I followed this guide on creating a Two-Tier PKI hierarchy and it all seems to work quite well except for the CRL publishing. In the guide, they walk you through creating the appropriate CDP / AIA distribution points, one of which is a network file location that is essentially a shared folder on the PKI server named PKI. I have noticed a few things though that do not seem to work.
1. The CRL does not automatically publish itself; seems to be a manual only approach. Not sure what good this is in an Enterprise environment where someone would need to look at it every 2 weeks and make sure the CRLs have been updated
2. Even though at the bottom of the guide it tells you to run the certutil -crl command, " which publishes the CRL to the locations that you specified in the CA Properties Extensions tab", I have noticed that it only publishes the CRL to the default CertEnroll folder. It does not publish it to the shared folder specified in the n1:file location as seen here: I am forced to manually copy the CRL into that directory.
certutil -setreg CA\CRLPublicationURLs
"1:C:\Windows\system32\CertSrv\CertEnroll\%3%8.crl\n2:http://pki.contoso.com/pki/%3%8.crl"
certutil -setreg CA\CACertPublicationURLs
"2:http://pki.contoso.com/pki/%1_%3%4.crt\n1:file://\\mcpki.contoso.com\pki\%1_%3%4.crt"
MCITP Exchange 2010 | MCTS Exchange 2007 | MCITP Lync Server 2010 | MCTS Windows 2008 | MCSE 2003