Certificates

I am having issues creating a subordinate CA.

Here is the situation, I have an Enterprise CA for the domain, and I
am trying to create a subordinate CA that is not connected on the
domain. I request a cert and issue the cert from the Root CA. I
install everything and it all looks to be working fine. Then I open
Certificate Authority msc and try to start the services and it says
that the CRL can not be found. I can ping the Root CA using the
certutil command. I can browse to the crl using http, I can also
connect using telnet on port 3890. Why can't the subordinate CA
retrieve the CRL?

Thanks in advance for any assistance.
Trevor

> I am having issues creating a subordinate CA.
>
> Here is the situation, I have an Enterprise CA for the domain, and I
> am trying to create a subordinate CA that is not connected on the
> domain. I request a cert and issue the cert from the Root CA. I
> install everything and it all looks to be working fine. Then I open
> Certificate Authority msc and try to start the services and it says
> that the CRL can not be found. I can ping the Root CA using the
> certutil command. I can browse to the crl using http, I can also
> connect using telnet on port 3890. Why can't the subordinate CA
> retrieve the CRL?
>
> Thanks in advance for any assistance.
> Trevor
>
1). Make sure, that LDAP URL listed in CDPs is available from your
subordinate CA (so there is no name resolution problems).
2). Make crl readable by everyone (including anonymous users). You can
use various LDAP browsers to check availability of the crl (for example,
Softerra LDAP Browser - http://download.softerra.com/files/ldapbrowser26.msi



--
With best regards
Nickolay Domukhovsky, MCSA