How to avoid Delta CRL download errors on Windows Server 2008 with IIS7
If delta CRLs are hosted on a Windows Server 2008 server running Internet Information Server 7 (II7), the configuration of a request filter must be changed in the IIS7 configuration.
IIS7.0 does not allow URI’s that do not match upon double escaping. Delta CRLs fall into that category because of the plus sign in the filename.
To change the filter for the site that is hosting the CRLs and delta CRLs, perform the following command at a command line:
appcmd set config "Default Web Site/VDIR" -section:system.webServer/security/requestFiltering -allowDoubleEscaping:true
You have to replace VDIR with the name of the web site hosting the delta CRL, for example:
appcmd set config "Default Web Site/PKI" -section:system.webServer/security/requestFiltering -allowDoubleEscaping:true
To change the setting for the default Web site, use this command:
appcmd set config "Default Web Site" -section:system.webServer/security/requestFiltering -allowDoubleEscaping:true
For related information about the configuration of request filters in IIS7 is found on Microsoft TechNet.