I have recently built a two-tier PKI infrastructure. This infrastructure consists of an offline root CA named: xxxx-ROOTCA and an online enterprise CA named: xsxx-SUBCA1.
The server xxxx-SUBCA1 also has an internal web site configured on it to which I want to publish the CRLs.
I have issued a handful of certificates during testing that I would now like to revoke. When I go to manually publish the CRL, I get the following error message: Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS-DENIED)
In trying to find a solution to this issue, I have come across several resources that state the computer account of the CA must be given additional rights on share where the CRL list is to be published. I've gone into the share (located at D:\pki on xxxx-SUBCA1) and given the xxxx-SUBCA1$ computer account full control share permissions and full control NTFS permissions. I have also made sure the computer account has the same level of share and NTFS permissions for c:\windows\system32\certsrv\certenroll.
If anyone can help me figure out what I have done wrong here, it would be greatly appreciated.
Best regards,
NTD_1313
You need to give the Cert Publisher group write permission on your share on the web server.
Also, note that (unless this is a lab environment) your web server shouldn't be on the same box as the CA.