I am currently "prototyping" a Windows PKI with AD CS Role. I have two-tier hierarchy (Root Offline CA -> Enterprise Sub-CA -> Digital Certs).
Furthermore, I am trying to publish the CRL of my Root CA to a network drive. Let me explain my setup:
I have a Domain-Controller (DCVS01), serving for the domain foonet.local. Additionally, I have a Windows Server 2019 (WS01) which is in the domain. This Server runs IIS and shares the wwwroot\CertEnroll folder and with that creating a network share. The last server I have is the Windows Server (WS02) which is not joined in the Domain and also has the AD CS Installed for the Root Offline CA.
I am currently configuring the CRL for WS02 (The Root CA). I have correctly mounted the network drive with the following command:
net use Z: \\IP_ADDRESS\CertEnroll /persistent:yes /user:service.crlshare PASSWORD
(I created a service account in the domain with the name service.crlshare)
I have tested it and I can write, read without an issue. The IIS Server is also reachable. When I try to add the Network-Share to the CRL-Settings for publishing, it does not work. Here are all the distribution points/paths I tried:
Z:\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
file://\\IP_ADDRESS\CertEnroll\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
\\IP_ADDRESS\CertEnroll\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
Upon trying to publish, I get the following error: The directory name is invalid. 0x8007010b (WIN32/HTTP: 267 ERROR_DIRECTORY)
Besides the different CDP's, here is what I tried:
- Make sure permissions are alright (WS02 can read & write to the network drive)
- Make sure the network drive is mounted so that no auth is needed since it's mounted
- Check permissions on WS01 (service.crlshare) has permissions to read and modify
- Checked if the WS01 is accessible (network-wise) by WS02 is accessible
- Files are served correctly by the Webserver (IIS)
Is it even possible to publish it the way I thought of it? I can not find any error in my setup. Thanks for the help in advance
