none
Enterprise PKI "Unable to Download" from all HTTP locations

    Question

  • I have a two-tier PKI setup: offline root and an issuing CA joined to the AD domain.

    When I open Enterprise PKI everything is OK except for the HTTP CDP and AIA locations.  They all say "Unable to Download".

    All LDAP locations report OK, and issuing and root certificates show OK.

    I copy the URL for the AIA and CDP HTTP locations into a browser and they download without issue.

    I also ran certutil -verify -urlfetch for the .crt file and received this output:

      Verified "Certificate (0)" Time: 0
        [0.0] ldap:///<removedforprivacy>?cACertificate?base?objectClass=certificationAuthority
    
      Failed "AIA" Time: 0
        Error retrieving URL: The server name or address could not be resolved 0x80072ee7 (WIN32: 12007)
        http://www.domainname.com/Certdata/rootca.crt
    
      ----------------  Certificate CDP  ----------------
      Verified "Base CRL (0a)" Time: 0
        [0.0] ldap:///CN=<removedforprivacy>?certificateRevocationList?base?objectClass=cRLDistributionPoint
    
      Failed "CDP" Time: 0
        Error retrieving URL: The server name or address could not be resolved 0x80072ee7 (WIN32: 12007)
        http://www.domainname.com/Certdata/rootca.crl
    

    I can't figure out why it can't see those files over HTTP.  They are definately there.  Does anyone know what else I can check?
    Friday, September 13, 2013 1:34 AM

All replies

  • Hi Ryan,

    pkiview.msc use the CDP and AIA information form the CA-Exchange certificate. So just in case you have recently changed those settings the CA-Exchange certificate might still have the old settings. I could not see from your description if you got the URLs from the CA console Extensions tab or from the pkiview.msc.

    You can also export a certiticate into an .cer file and run certutil.exe -urlfetch -verify cert.cer from a client. Does this report any issues with accessing the URLs?

    Regards,

    Lutz

    Friday, September 13, 2013 2:25 AM
  • Hi Ryan,

    pkiview.msc use the CDP and AIA information form the CA-Exchange certificate. So just in case you have recently changed those settings the CA-Exchange certificate might still have the old settings. I could not see from your description if you got the URLs from the CA console Extensions tab or from the pkiview.msc.

    You can also export a certiticate into an .cer file and run certutil.exe -urlfetch -verify cert.cer from a client. Does this report any issues with accessing the URLs?

    Regards,

    Lutz

    Did you notice that code snippet displays certutil output?

    Looks like there are issues with name resolution. Also make sure if anonymous authentication is enabled on your web site.


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Check out new: PowerShell FCIV tool.

    Friday, September 13, 2013 5:32 AM
  • That's exactly what it looks like to me too, but DNS is configured correctly and I can resolve the host name from the command prompt and browse to the website URL in Internet Explorer (from the Issuing CA server itself), which prompts me to download the .crl and .crt files (for CDP and AIA respectively).

    I also checked that Anonymous Authentication is enabled on the virtual directory hosting the crl files, and restarted the entire webserver as well, double checked again after reboot and it is still enabled properly.

    I'm trying to figure out how it is possible that these HTTP URLs are failing via the certutil and pkiview tools, but work without issue any other way I try to access them.

    Could the error I'm getting actually be a symptom of something else that probably has nothing to do with IIS, name resolution, or the existence of those files at those locations? But then I would argue that if that was the case, the LDAP CDP and AIA locations would be failing too...



    Friday, September 13, 2013 12:39 PM