Before installing Certificate Services on the issuing CA, you must ensure that the issuing CA trusts the root CA and is able to download the policy CA certificate and CRL for certificate revocation checking.
This is accomplished by manually installing or publishing the root CA and policy CA certificates stored on a floppy disk to the following locations:
■ The local computer's trusted root store and intermediate CA store. This location is required if you are unable to publish the certificate into Active Directory or to the HTTP URL referenced in the AIA and CDP extensions of certificates issued by the root or policy CA. This location is also required if the issuing CA is a standalone CA.
■ Active Directory. The root and policy CA certificate and CRLs can be published into Active Directory. Publication into Active Directory enables the automated download of the certificates to all Windows 2000, Windows XP, and Windows Server 2003 computers that are members of the forest.
■ HTTP URLs referenced in the AIA and CDP extensions. The root and policy CA certificates and CRLs must be manually published to these locations to enable download of the CA certificates and CRLs to all clients using these URLs for chain building and revocation checking.
Was this article helpful?