Hello @Borut Puhar ,
Thank you for posting here.
Based on the description, I understand you have one-tier CA (that is one offline standalone root CA), is that right?
1.Could you please logon this standalone root CA, and then navigate to Revoked Certificates and right click Revoked Certificates container\All Tasks\Publish\New CRL.
2.Then find the crl file under C:\Windows\System32\CertSrv\CertEnroll on this CA server.
3.Copy the crl file in step 2 to one DC and republish it to AD.
On the DC, run command certutil -dspublish -f <the full name of crl file> <CAname>
Would you please confirm:
1.What is the CRL publish interval about your CA server?
2.Do you configure the HTTP type CRL?
Best Regards,
Daisy Zhou