Another problem for you fine experts to consider...2 tier PKI, offline Root 2008 R2, 1 Sub Ent CA in Domain1 (2008 R2) and 1 Sub Ent CA in Domain2 (2012 R2).
SubCA 1 and 2 are configured pretty much identically, however when setting up SubCA 2 I am having issues running the Certutil -CRL command to publish the CRL.
My CDP locations are configured as follows;
I can confirm that the base CRL publishes correctly to the CertEnroll location and LDAP correctly. But it fails trying to publish to the HTTP/File location (which is the same path).
I get the error:
CertUtil: The directory name is invalid
Also the Delta CRL fails on the CertEnroll default directory as well as the file/http path with error;
Active Directory Certificate Services could not publish a Delta CRL for key 0 to the following location: file://\\pki.domain\
I'm pretty certain it's not a permissions issue as I've added Everyone for NTFS/share permissions to test without any change. The install was done with an Enterprise Admin account but I'm doing all the testing now with a normal admin account (admin in the CA/server but not domain or enterprise admin).<o:p></o:p>
<o:p></o:p>
The File/HTTP location is on the CA itself (I know this is likely not best practise, but needs to be there in the short term) so not sure if the Windows firewall comes into play.
Thanks!