This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 6%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESN%3C/text%3E%3C/svg%3E)
We have a two-tier PKI in place and tried to add a second enterprise issuing CA in a remote site to provide better availability and redundancy with the below details.
Two Issuing Enterprise Certificate Authority were deployed.
Server#1(site A)
On top of the CA role, added the IIS role and Web enrolment to the first server and used an alias called cdp.domain.com which points to this first server, and added http://cdp.domain.com as CDP/AIA. All good here(pkiview.msc== all green).
Server#2 (Site B)
Added the 2nd server with only CA role, and pointed CRL/AIA to the cdp.domain.com. noticed that the revocation list still gets updated in the default location but not in http://cdp.domain,com which is at the first server's default location.( C:\Windows\system32\certsrv\certenroll\ )
and pkiview.msc shows can not download error because neither crl not crt exist on the cdp.domain.com virtual directory. how do we send updates to the first server so the CDP for both servers becomes one location and crls can all be found in the same virtual directory?
@lukus290
I found your answer to a relative question here:
Not sure if your solution would work for my case here.
"Create 1 CDP path for Websever 1" in my case would be https://cdp1.domain.com or file://cdp1/certenroll?