none
(Certificate) AIA Location - unable to download

    Question

  • For one of my clients I am setting up certificate services for them.  I have a standalone offline root certificate server and an enterprise active directory integrated subordinate.

    Within the Enterprise PKI MMC I am getting an error "unable to download" for both AIA location and CDP location.

    On the root CA I am using the Extensions tab to enter the direct LDAP paths to both the AIA and CDP location within Active Directory.  Using LDP I verify the information was in Active Directory and determined the path.

    But when I copy the paths within the "Enterprise PKI tool" I get the following:

    ldap://CN=Orthodonticsolution Root Certificate Authority,CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=orthodonticsolution,DC=local/

    ldap://CN=RootCA,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=orthodonticsolution,DC=local/

    The reason the object cannot be not found is because of the leading "/" at the end of the ldap path.  I am not sure how that leading slash came about because it does not exist on the AIA or CDP on the Root CA server.

    So the question I have is how do I input the direct ldap path on the Root CA server?  Or how do I get rid of the leading slash?

    Any help is appreciated.  Thanks in advance for all suggestions and help.

    Joel
                

     
    Sunday, July 14, 2013 6:27 PM

Answers

  • Brian,

    Last night I was able to solve my ldap issue.  The solution was that three slashes was need in from of ldap an not two, i.e. ldap:///.  Once I edit the extensions and included the 3rd slash, the subordinate CA was able to find all the information in Active Directory.

    Thanks for everyone's help.

    Joel 

    • Marked as answer by Nentwich Tuesday, July 16, 2013 10:45 AM
    Tuesday, July 16, 2013 10:45 AM

All replies

  • Revocation checking fails when CDP/AIA locations in the CA's cert can't be reached

    Quick Check on ADCS Health Using Enterprise PKI Tool (PKIVIEW)

    Regards
    Biswajit Biswas

    My Blogs|TechnetWiki Ninja | Any ADDS Related Query;Post@http://aka.ms/addsforum | Any Security Related Query ;Post@http://aka.ms/adcsforum


    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin

    Monday, July 15, 2013 4:15 AM
  • Biswajit,

    Thank you for information and two links above.

    I just have a few follow up question.  In one of the URL links above it is stated that CDP/AIA paths should be empty.  Is this true that this is best practices?  If so; under the "Extensions" tab on the root CA all paths should be removed for the CDP and AIA except for the path to the Windows directory (C:\windows\system32\certsrv\cetenroll\....)?

    Thanks for all your help,

    Joel 

    Monday, July 15, 2013 5:30 PM
  • No, you are incorrect.

    The Extensions tab references the AIA and CDP that will go into the certificates issued *by* the root CA. Not the extensions that will exist *in* the root CA certificate. If you have extensions, you either deployed the root CA with a capolicy.inf with CDP/AIA extensions defined (2008  or higher), or did not use a capolicy.inf file (Server 2003)

    Brian

    Monday, July 15, 2013 6:58 PM
  • Brian,

    I am confused then.  The Root CA is a standalone workgroup machine, running Standalone version of the Root CA.  I have used the certutil to publish the Root CA of CDP/AIA into Active Directory. As seen in my first post I included a direct ldap paths on the Root CA extensions to both CDP and AIA files in Active Directory.  Yet when I published the root cert to the subordinate CA a leading "/".  (I.E. "DC=local/") is added to the ldap path.  Not sure why that is the case.  How do I get rid of this slash?

    Any examples of that the root ca extensions should be would be a big help too?

    Thanks,

    Joel 

    Monday, July 15, 2013 8:24 PM
  • Brian,

    Last night I was able to solve my ldap issue.  The solution was that three slashes was need in from of ldap an not two, i.e. ldap:///.  Once I edit the extensions and included the 3rd slash, the subordinate CA was able to find all the information in Active Directory.

    Thanks for everyone's help.

    Joel 

    • Marked as answer by Nentwich Tuesday, July 16, 2013 10:45 AM
    Tuesday, July 16, 2013 10:45 AM