Link to home
Create AccountLog in
Avatar of Paul Walsh
Paul Walsh

asked on

Certificate Services AIA Location error

Hi All,

I am setting up a 2 tier PKI environemnt with two server core 2016 servers following this guide. https://www.petenetlive.com/KB/Article/0001312

I have more or less got it up and running but I am hitting a snag with the AIA location for the offline ROOTCA. Within pkiview (from the management pc) it tells me it cannot download the file: ////TEST-ROOTCA_TEST-ROOTCA-CA.crt

Within the extensions tab the AIA has the following locations:

C:\Windows\system32\CertSrv\CertEnroll\<ServerDNSName>_<CaName><Certificate Name>.crt
ldap:///CN=<CATruncatedName><CN=AIA,CN=Public Key Services,CN=services,<ConfigurationContainer><CAObjectClass>
http://pki.test.local/CertEnroll/<ServerDNSName>_<CAName><CertificateName.crt>

However If i navigate to the Certenroll folder on the root server I can see the cert in there. I have attached snippets of a few screnngrabs showing the error, and the settings / troublseome cert.

What am i missing?

Thankyou,
Paul
ASKER CERTIFIED SOLUTION
Avatar of David Johnson, CD
David Johnson, CD
Flag of Canada image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of Paul Walsh
Paul Walsh

ASKER

Hi David,

Thankyou for your response. I setup the IIS server first, and the DNS part pointing to it. As part of the ROOTCa install I ran the following in powershell:

Certutil –setreg CA\CACertPublicationURLs “1:C:\Windows\system32\CertSrv\CertEnroll\%1_%3%4.crt\n2:ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11\n2:http://pki.cabench.com/pki/%1_%3%4.crt”

Certutil –setreg CA\CRLPublicationURLs “1:C:\Windows\system32\CertSrv\CertEnroll\%3%8%9.crl\n10:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10\n2:http://pki.cabench.com/pki/%3%8%9.crl”

If I understand you correctly, should I omit the first part "1:C:|Windows.........." and only include the ldap and http pointer? Should that also be the case for CRL URL?

That being said, is there any way to succesfully fix the current test environemnt (I have tried removing the file pointer, however it still remains, even if no entries exist in the AIA section.

Thanks for your help.
Paul
remove all but the url.
you have to reissue all the certificates
Hi,

Will give it a go and let you know how I get on.

Thanks for your help.
Paul
Hi,

Unfortunatley I have been pulled onto other things, so it might be a while before I can really test. Ill award the points anyway, and I can always ask again if i hit any further snags.

Thanks Again.
Paul