Solved

How do I modify the CDP and AIA URL on a standalone root certification authority

Posted on 2010-11-16
2
2,775 Views
Last Modified: 2012-05-10
Hi, I created a certification hierarchy with an offline root certification authority in a lab environment. I followed the instructions in a TechNet article, http://technet.microsoft.com/en-us/library/cc737834(WS.10).aspx. I'm running into an issue when I start the Certificate Services on my enterprise subordinate CA. I receive the following the message, "The revocation function was unable to check revocation because the revocation server was offline, 0x80092013 (-2146885613)."

Looks like I didn't modify the URL of the certificate revocation list (CRL) and the authority information access (AIA) distribution points correctly. Here's what I did, I added a new CDP location, file://\\FQDN\sharename\<CAName><CRLNameSuffix>.crl, and selected the Include in the CDP extension of issued certificates checkbox. Then I added a new location AIA location, file://\\FQDN\sharename\<ServerDNSName>_<CaName><CertificateName>.crt, and selected the Include in the AIA extension of issued certificates checkbox.

After changing the CDP and AIA distribution points, I published a new CRL. When I open the Properties of Revoked Certificates to view the CRL, it shows the ldap location on the root CA and not the new location.

Am I not allowed to use a UNC path as a new CDP and AIA distribution point? If yes, what would be the proper format of a ldap entry to point them to a new location? Would I just copy the existing URL and change the distinguished name?
0
Comment
Question by:ipswitch
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 4

Accepted Solution

by:
shudman earned 500 total points
ID: 34209489
I believe that only LDAP, HTTP and FTP are allowed....no UNCs (except the local certenroll directory).
Whilst I know you can set this in the UI, the formatting is somewhat cumbersome, and is actully a mare to get your head around, it is typically done in a script.  Have a peek at this http://technet.microsoft.com/es-es/library/cc779083(WS.10).aspx
0
 

Author Closing Comment

by:ipswitch
ID: 34277151
No.
0

Featured Post

[Webinar] How Hackers Steal Your Credentials

Do You Know How Hackers Steal Your Credentials? Join us and Skyport Systems to learn how hackers steal your credentials and why Active Directory must be secure to stop them. Thursday, July 13, 2017 10:00 A.M. PDT

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Issue: One Windows 2008 R2 64bit server on the network unable to connect to a buffalo Device (Linkstation) with firmware version 1.56. There are a total of four servers on the network this being one of them. Troubleshooting Steps: Connect via h…
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question