We have a two-tier PKI in place and tried to add a second enterprise issuing CA in a remote site to provide better availability and redundancy with the below details.
Two Issuing Enterprise Certificate Authority were deployed.
On top of the CA role, added the IIS role and Web enrolment to the first server and used an alias called cdp.domain.com which points to this first server, and added http://cdp.domain.com as CDP/AIA. All good here(pkiview.msc== all green).
Server#2 (Site B)
Added the 2nd server with only CA role, and pointed CRL/AIA to the cdp.domain.com. noticed that the revocation list still gets updated in the default location but not in http://cdp.domain,com which is at the first server's default location.( C:\Windows\system32\certsrv\certenroll\ )
and pkiview.msc shows can not download error because neither crl not crt exist on the cdp.domain.com virtual directory. how do we send updates to the first server so the CDP for both servers becomes one location and crls can all be found in the same virtual directory?