Paul Walsh
asked on
Certificate Services AIA Location error
Hi All,
I am setting up a 2 tier PKI environemnt with two server core 2016 servers following this guide. https://www.petenetlive.com/KB/Article/0001312
I have more or less got it up and running but I am hitting a snag with the AIA location for the offline ROOTCA. Within pkiview (from the management pc) it tells me it cannot download the file: ////TEST-ROOTCA_TEST-ROOTC A-CA.crt
Within the extensions tab the AIA has the following locations:
C:\Windows\system32\CertSr v\CertEnro ll\<Server DNSName>_< CaName><Ce rtificate Name>.crt
ldap:///CN=<CATruncatedNam e><CN=AIA, CN=Public Key Services,CN=services,<Conf igurationC ontainer>< CAObjectCl ass>
http://pki.test.local/CertEnroll/<ServerDNSName>_<CAName><C ertificate Name.crt>
However If i navigate to the Certenroll folder on the root server I can see the cert in there. I have attached snippets of a few screnngrabs showing the error, and the settings / troublseome cert.
What am i missing?
Thankyou,
Paul
I am setting up a 2 tier PKI environemnt with two server core 2016 servers following this guide. https://www.petenetlive.com/KB/Article/0001312
I have more or less got it up and running but I am hitting a snag with the AIA location for the offline ROOTCA. Within pkiview (from the management pc) it tells me it cannot download the file: ////TEST-ROOTCA_TEST-ROOTC
Within the extensions tab the AIA has the following locations:
C:\Windows\system32\CertSr
ldap:///CN=<CATruncatedNam
http://pki.test.local/CertEnroll/<ServerDNSName>_<CAName><C
However If i navigate to the Certenroll folder on the root server I can see the cert in there. I have attached snippets of a few screnngrabs showing the error, and the settings / troublseome cert.
What am i missing?
Thankyou,
Paul
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
remove all but the url.
you have to reissue all the certificates
you have to reissue all the certificates
ASKER
Hi,
Will give it a go and let you know how I get on.
Thanks for your help.
Paul
Will give it a go and let you know how I get on.
Thanks for your help.
Paul
ASKER
Hi,
Unfortunatley I have been pulled onto other things, so it might be a while before I can really test. Ill award the points anyway, and I can always ask again if i hit any further snags.
Thanks Again.
Paul
Unfortunatley I have been pulled onto other things, so it might be a while before I can really test. Ill award the points anyway, and I can always ask again if i hit any further snags.
Thanks Again.
Paul
ASKER
Thankyou for your response. I setup the IIS server first, and the DNS part pointing to it. As part of the ROOTCa install I ran the following in powershell:
Certutil –setreg CA\CACertPublicationURLs “1:C:\Windows\system32\Cer
Certutil –setreg CA\CRLPublicationURLs “1:C:\Windows\system32\Cer
If I understand you correctly, should I omit the first part "1:C:|Windows.........." and only include the ldap and http pointer? Should that also be the case for CRL URL?
That being said, is there any way to succesfully fix the current test environemnt (I have tried removing the file pointer, however it still remains, even if no entries exist in the AIA section.
Thanks for your help.
Paul