Topology: We have an offline root and 2 online issuing CAs The issuing CAs were configured with non-default AIA publication points and I think there may be an issue with the hardcoded AIA locations once we renew the issuing CAs certificates. Please let me know if my assumtion is correct. The default AIA locations (which used variables) were all removed. The new AIA publication configuration are hardcoded as: G:\aia\AD-Intermidate-Windows-CA.crt http://aia.domain.com/AD-Intermidate-Windows-CA.crt (include in the AIA entension of issued certificates) http://ocsp.domain.com/ocsp/ The problem: Next year the issuing CA certificate will need to be renewed at it's mid-life. When it's renewed, I beleive the new issuing CA's certificate will append "(1)" like AD-Intermediate-Windows-CA(1). I beleive that we should have kept the <CA Name> variable for G:\aia\<CA Name>.crt and http://aia.domain.com/<CA Name>.crt so that the newly issued certificates reference the "(1)" version of the CA certificate while certificate issued previously reference the non-numbered issuing CA path. Does this assumption sound correct? If so, will the variable <CA_Name> include the "(1)" when renewed? CA Renewal - index number: http://msdn.microsoft.com/en-us/library/windows/desktop/aa376550(v=vs.85).aspx

No, <CAName> includes only sanitized CA name and nothing else. Certificate index is controlled by another variable — <CertificateName>. For initial certificate, the value is null. For subsequent certificates this variable expands to the corresponding index, (1), (2), (3) and so on.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Thanks for the clarification of the variables Vadims! So am I correct to assume that changing the AIA locations (as shown below) will result in the issuing CA automagically publish its renewed certificate to the G:\aia\ folder with the "(1)" not overwriting the existing certificate in that folder, and newly issued certificates will be stamped with the http location that also includes the (1)? From: G:\aia\AD-Intermediate-Windows-CA.crt http://aia.domain.com/AD-Intermediate-Windows-CA.crt (include in the AIA entension of issued certificates) To: G:\aia\<CertificateName>.crt http://aia.domain.com/<CertificateName>.crt (include in the AIA entension of issued certificates) Also, do I have to be concerned with the CRL Distribution Point with regards to the issuing CA's Certificate Index Number? I assumed the crl file name and http path would not change as a result of the renewal of an issuing CA certificate, only the AIA field would be affected.

After change the paths as mentioned above the Enterprise PKI health tool was checking path http://aia.domain.com/.crt so it seems <CertificateName> didn't resolve as i had assumed it would. So is <CertificateName> just the index number? Perhaps I should use http://aia.domain.com/<CA Name><CertificateName>.crt It also seems simple enough that we may manually update the AIA file and http paths to include the "(1)" when we renew the issuing CA's certificate? I'd rather not, for the sake of other admins - but it's not that big a deal.

> http://aia.domain.com/<CA Name><CertificateName>.crt exactly! <CertificateName> just adds an index, if any. > It also seems simple enough that we may manually update the AIA file and http paths to include the "(1)" when we renew the issuing CA's certificate? No, just configure the URL as specified above.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

No, <CAName> includes only sanitized CA name and nothing else. Certificate index is controlled by another variable — <CertificateName>. For initial certificate, the value is null. For subsequent certificates this variable expands to the corresponding index, (1), (2), (3) and so on.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

> http://aia.domain.com/<CA Name><CertificateName>.crt exactly! <CertificateName> just adds an index, if any. > It also seems simple enough that we may manually update the AIA file and http paths to include the "(1)" when we renew the issuing CA's certificate? No, just configure the URL as specified above.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Thank you very much Vadims, you've helped me yet again!