It came to our attention that the Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure whitepaper provides wrong guidance in section Import the Root CA Certificate and CRL into an Intermediate CA from a Batch File. The current documentation recommends that the CRL published by the Root CA is to be added to the Root certificate store.
There are two corrections needed for the commands in step #4 in the Import the Root CA Certificate and CRL into an Intermediate CA from a Batch File section:
The correct commands would look like the following:
for %C in (FloppyDrive:\*.crt) do certutil –addstore Root %Cfor %C in (FloppyDrive:\*.crl) do certutil –addstore CA %C