AD CS Problem

Question

I have a Microsoft AD CS on-prem Two-Tier CA deployed.
On the issuing CA servers, I'm having an issue with the CDP/CRL locations. In pkiview, it constantly points to a CRL that doesn't exist (see attached image).

The path is correct, but before the .crl extension, it constantly appends this (2) in the name. The actual name of the published CRL is CA2-CA.crl.

So far, I've tried (without success):

• Manually editing the CRL/CDP and AIA extensions in the CA console.
• Reissuing the issuing CA certificate.
• Editing the registry containing these records.

I no longer know how to make it point to CA2-CA.crl instead of CA2-CA(2).crl. If anyone has any advice, I would appreciate the help.

Answer 1

Hello JoeFly_55,

Thank you for posting in Microsoft Community forum.

Based on my knowledge and experience, you can set the CRL extension and corresponding registry again or more times correctly.

That is:
Manually editing the CRL/CDP and AIA extensions in the CA console.

Editing the registry containing these records.

 Then refresh the PKIview.msc console.

I hope the information above is helpful.

If you have any question or concern, please feel free to let us know.

Best Regards,

Daisy Zhou

Answer 2

Hello,

This seems like AI response. I literally said that i tried that already.

Answer 3

Hello

Greetings!

I'm sorry, I'm not AI.

I've encountered this question several times in the test environment before, once I configure AIA or CDP incorrectly, even if I later correct it, the entry in PKIview.msc console will still show a red cross.

In your case, you can try to put the file CA2-CA(2).crl in local paht (C:\Windows\System32\CertSrv\CertEnroll) and http path if you have and publish CA2-CA(2).crl to AD domain.

At last, please check if the error disappears.

Best Regards,
Daisy Zhou