none
Enterprise PKI Error - CDP & AIA locations "unable to download"

Answers

  • I tested pkiview from member server which is W2003 OS and it was working properly.

    Then I restarted the RootCA and SubCa and after restart Enterprise PKI view was able to download information from CDP & AIA locations.

    Summary:

    IIS authentication changes, IISRESET & reboot solved the problem.

    Thanks for your help!

    -Sami

    • Marked as answer by Sami Lamppu Thursday, June 09, 2011 9:46 AM
    Thursday, June 09, 2011 9:46 AM

All replies

  • The only ones failing are HTTP URLs, and since it is base CRLs as well as delta CRLs, it probably is not the double-escaping issue (as you guessed).

    1) Try each URL from Internet Explorer on different clients (not just the CA)

    2) Are you using a proxy server? The machine must be set up to use the proxy server to access the HTTP URLs

    3) The root CA is using a NetBIOS name for the HTTP and FILE Urls. Are you manually publishing the root CA certificate and CRL to an online Web server? This should be referenced by a DNS name, not a NetBIOS name

    4) The FILE URLs in the root CA are not supported, and should be removed

    Brian

    Tuesday, June 07, 2011 3:33 PM
  • Thank you for the quick answer Brian!

    I have a identical test environment comparing production environment. I made a change to IIS authentication method and in test environment everything is green now:)

    What I did I changed Certenroll virtual folder authentication method from Windows Integrated to Anonymous. Default web site and CertSrv are still by default setting (Windows Integrated).

    Today morning I did same changes to production environment authentication methods but I still have the same error. Quite confusing....

    Answers to your questions:

    1) all the URLs are working from another client, I just tested

    2) Proxy is not in use at this environment

    3) Root CA certificate and CRL are manually published to SubCA. Actually from tomorrow with a scheduled script

    4) I will remove FILE URL's from root CA

    For me it's quite confusing that production environment was working correctly before Web enrollment service was installed. Does the installation change IIS authentication methods? And same environment has been restored to virtual test environment, migrated and settings are same than in production.  

    First thing what I'm going to do tomorrow ís a reboot and then we will see what is the situation with IIS authentication.

    Any more ideas?

    Wednesday, June 08, 2011 4:58 PM
  • I tested pkiview from member server which is W2003 OS and it was working properly.

    Then I restarted the RootCA and SubCa and after restart Enterprise PKI view was able to download information from CDP & AIA locations.

    Summary:

    IIS authentication changes, IISRESET & reboot solved the problem.

    Thanks for your help!

    -Sami

    • Marked as answer by Sami Lamppu Thursday, June 09, 2011 9:46 AM
    Thursday, June 09, 2011 9:46 AM
  • Can you clarify what you mean by "IIS authentication changes" please?


    CarolChi
    Sunday, July 24, 2011 3:16 PM
  • The default IIS authentication settings after installation are "Windows Integrated Authentication".

    I changed authentication method from Certenroll virtual folder from "Windows Intergrated" to "Anonymous". Authentication method change and reboot helped with in my case.

    -Sami

    Tuesday, August 16, 2011 4:11 AM
  • i am new to pki. how do you remove the file urls for the root ca (offline) as suggested above?
    Friday, August 19, 2011 12:08 PM
  • The file URL's is included on issued certificates (CRL point). In this scenario it's found from SubCA certificate.

    You can remove file URL from RootCA console (Extensions - CRL & AIA locations). When you have removed the file URL it doesn't affect anymore to new certificates which RootCA will be issued.

    When SubCA certificate is renewed the file URL is not included anymore (on CRL point).

    -Sami

    Sunday, August 21, 2011 5:21 PM
  • I have the same Issue as Sami Lamppu. In your fourth option in the list you say "I will remove the FILE URL's from the Root CA", but how do I do that? I want to remove AIA Location #2 and CDP Location %2. I reinstalled my servers several times but still I get the same problem. I am not that expierenced with AC, I am currently learning for my MCTS:Active Directory 2008.

    Check Image for more info, hope to hear from you soon, thanks in advance.

    Wednesday, December 21, 2011 7:13 PM
  • Hi,

    You have one tier CA hierarchy based to your picture. If you want to remove url's you have to open "Contoso-Issuing-CA01" properties and choose "Extension" sheet. There are CDP & AIA locations which you can modify.

    But when modified only new certificates will have new locations included on certificates.

    This means that if you want modified locations to be seen on "Enterprise PKI" tool you have to renew Certificate Authority's own certificate.

    Brgds,

    Sami 

    Thursday, December 22, 2011 4:51 AM
  • Sami,

    Thanks for the reply, I checked the file locations, but how can I edit the .crt files to change the URLs?

    Regards,

    PFerryman

     

     

    Thursday, December 22, 2011 6:34 PM
  • You cannot edit a CRT file. The file is a signed object.

    You will have to fix the configuration at the issuing CA(the root for a subordinate CA), then renew the issuing CA certificate (or reinstall) to get the corrected URLs

    Brian

    Thursday, December 22, 2011 9:24 PM