BaronVonSuff

EDIT - I found the root cause. After adding the AIA and CDP paths to the RootCA, I had forgotten to restart the certsvc and then requested the SubCA certificates. These did not include the proper AIA and CDP paths because the RootCA simply didn't know them yet. PKIView reads the SubCA certificates issued by the RootCA to get the proper AIA and CDP paths for the RootCA, hence the wrong paths and a bad status. To remediate the issue, I renewed the SubCA certificates, which this time included the proper AIA and CDP paths as I had restarted the service in the meantime. I then revoked the old SubCA certificates and any certificate issued by the SubCAs, requested and issued new certificates and published and distributed the RootCA and SubCA CRLs. Now PKIView is showing all paths as ok and the overall status is good. All services are working as intended. Hi Niall, you mention that the RootCA part of the command "certutil -f -dspublish myRootCACert.crt RootCA" needs to be changed to the hostname of my offline RootCa. However, when I do this on Server 2019, I get the following error: certutil -f -dspublish myRootCACert.crt RootCAHostName CertUtil: -dsPublish command FAILED: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER) CertUtil: The parameter is incorrect. The command is successful if I leave it at "RootCA". However, despite having added the http AIA and CDP locations as described in your series, the pkiview for the root only shows a file path like "file:////RootCAHostName/CertEnroll/myRootCACert.crt" and "file:////RootCAHostName/CertEnroll/myRootCACRL.crl" and both show the status "unable to download". There is no http AIA and CDP entry for the root CA in pkiview. I've checked the root CA itself and the properties clearly show AIA and CDP http location entries and the correct boxes ticked as per your guide (see screenshots). Running "certutil -f -dspublish myRootCACRL.crl RootCAHostName" works, but does not change anything in the pkiview for the root CA, even after restarting the service. Certificate Services themselves are working fine, both issuing CAs, the OCSP (as an array) and the http crl locations work fine. Certificates issued by both CAs are valid and the certificate chain checks out as ok. SO everything seems fine, except for pkiview ? Any idea what could have gone wrong and what I could further try to remediate? Thanks, Fred