none
Cannot access certificate server via https://localhost/certsrv or http://localhost/certsrv.

    Question

  • Hello, I have been trying for two days now trying to access windows 2008 certificate server "https://localhost/certsrv" with no luck. I've removed certificate services and IIS and reinstalled but still no luck. Can someone assist me with this. I am at a loss.
    Sunday, April 03, 2011 8:52 PM

All replies

  • Do you see the certsvc virtual directory in IIS-Manager?

    If not, did you install ADCS-Webservices?

    I think you don't use a proxy, am I right?

    • Proposed as answer by kkaushal17 Wednesday, July 11, 2012 9:46 AM
    Monday, April 04, 2011 12:48 PM
  • Hello,

    is the default web service started? Maybe another site use the same port as the default web service, so the site was stopped. So you have to change the port or temporary deactivate the other site

    Thursday, April 07, 2011 2:17 PM
  • Hi,

    Any updates on this issue?

    Have you verified the settings as mentioned above?

     

    Regards,

    Sharon


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Friday, April 08, 2011 5:12 AM
    Moderator
  • Hello,

    I'm having the same problem. I have also tried uninstalling/reinstalling both the CA and IIS. In anwser to the question above, I see the virtual directory /CertEnroll only. When I tried to add /CertSrv I get an error "....already exists..." Initially I thought the problem was related to the domain controllers certificate, since regardless of how I try, I can't create the certificate without having the computer name in the subject ie CN=myserver.csptest.testdomain.com, as apposed to CN=csptest.testdomain.com. Attempts to influnce the name have no effect. According to the documentation the complete name must appear in either Subject Alternate or Subject but adding Subject:CN=csptest.testdomain.com; Subject Alternate:myserver.csptest.testdomain.com will still create a certificate that as the computer dns name.

    I can't access the CA's web pages using http://csptest.testdomain.com/CertSrv yields access forbidden the https://csptest.testdomain.com/CertSrv yields the error "....the pages cannot be displayed..."

    I have verified that the CA is working. I can access all http pages and issue certificates. But I cannot access the CA using the web pages nor can I access any other secure site using https.

    Can someone help me?

    Regards,

    Robert

    Tuesday, June 28, 2011 2:51 PM
  • Might be obvious but did you install the "Certificate Authority Web Enrollment" role service together with the CA?


    Technical Specialist Microsoft OCS/Lync & UC Voice Specialisation - http://www.uwictpartner.be
    If you think my post is the answer to your question, please mark it as answer so future visitors can easily find it.
    Friday, July 22, 2011 6:38 PM
  • I dont think he could have access the site trhough http without that role service...
    MCTS...
    Monday, November 14, 2011 3:41 PM
  • Hi ll,

     

    I have the same issue. This is a test environment, fresh build from scratch.

    All Servers are 2008R2 SP1

    ALL Clients are Win7 Ultimate SP1

    All are fully patched with all updates.

    Installed the CA role and web Enrollment.

    I cannot access the HTTPS version of the site from IIS, can only access the HTTP version. I'm stumped.

     

    Any assistance greatly appreciated

     

    Cheers


    ***UPDATE***

    I found the solution (In my case at least)

    On the Cert Server:

    Go to IIS and make a new request for a domain certificate as follows:

    1. IIS, expand so you can see the server name

    2. In the main window, double click on "Server Certificates"

    3. In the action pane, click on "Create Domain Certificate"

    4. Enter relevant details. Restart IIS and then the HTTPS website will appear in the list of sites to browse within IIS.

    What I am not sure of is why this needed to be done. I would have expected this as "a given" through the installation process.

     However, this is a network installed for learning so I guess I am doing just that!

     

    Hope this helps put someone else in the right direction.

    • Edited by Joner39 Wednesday, January 11, 2012 1:56 PM More Information
    • Proposed as answer by JeeNz Tuesday, March 24, 2015 2:31 PM
    Wednesday, January 11, 2012 7:40 AM
  • Hi All,

      I've had this same issue and the problem was that I had logged in with a local account (<Username> + <Password>).

    Assuming you are joined to a domain, to resolve the issue, uninstall your CA role and services, log in with a domain profile instead (ie <Username@domain.com>+<Password>), reinstall CA role and services.

    you should now be able to access localhost/certserv to issue your cert.

    The key is you must log in with a domain profile to administer domain functions.

    Regards,

    - Dan

    • Proposed as answer by Dan_L_Hansen Thursday, April 12, 2012 11:40 PM
    Thursday, April 12, 2012 11:40 PM
  • Might not be the same problem your having, but I ran into this:

    My 2008R2 install puts the code needed for the "Certificate Authority Web Enrollment" service into the "C:\Windows\System32\certsrv\en-US" directory.  So the default URL is http://localhost/CertSrv/en-us not http://localhost/CertSrv.

    If you want to make it use the http://localhost/CertSrv, copy all the files from the "en-US" directory to the certserv directory.  Then modify the default.asp file located in the certsrv directory as follows:

    Open the file in notepad, and find the line at the top that looks like this: <!-- #include FILE="..\certdat.inc" -->

    edit that line to make it look like this: <!-- #include FILE="certdat.inc" -->

    Your just changing the relative path where IIS looks for the certdat.inc file.  It exists in the certsrv directory, so you have to tell IIS to look in its current directory rather than the one above it.

    this worked for me.  Hope it helps you.

    • Proposed as answer by rexif Friday, May 18, 2012 4:52 PM
    Friday, May 18, 2012 4:44 PM
  • This may seem a tad simple but I'm currently doing exercise labs on a virtual machine and I was having this very problem. That is until I realized that I was attempting to access http://localhost/certsrv on the client computer instead of the Server machine. After switching to the Server it brought up the certificate host no problem.

    I realize this was posted almost a month ago but if anyone else has this issue and comes here make sure you are on the server or domain controller when attempting to access the certsrv.

    Monday, May 21, 2012 3:42 AM
  • I realize this is an old forum, but I had the same issue and finally figured out the problem. I needed to create a self-signed certificate and bind the ssl port (443) to the new self-signed certificate rather than binding it to the CA Root Certificate. Both links below describe the fix. Hope this helps others and have a great Sys Admin Day!!

    http://blogs.msdn.com/b/rakkimk/archive/2007/05/25/iis-7-how-to-configure-a-website-for-https.aspx

    http://learn.iis.net/page.aspx/144/how-to-set-up-ssl-on-iis/

    • Proposed as answer by gathomas72 Wednesday, February 27, 2013 5:44 PM
    • Unproposed as answer by gathomas72 Wednesday, February 27, 2013 5:44 PM
    • Proposed as answer by gathomas72 Wednesday, February 27, 2013 5:44 PM
    • Unproposed as answer by gathomas72 Wednesday, February 27, 2013 5:45 PM
    Wednesday, August 22, 2012 12:43 PM
  • Have you had any success with your problem? I am having issues with a 2003 Exchange box I am using. I tried to go to http://server/certsrv and it gives me a 404 error. If I use http://server/certsrv, it tells me it is a secure server and needs the https://.

    http://www.msexchange.org/articles-tutorials/exchange-server-2003/security-message-hygiene/SSL_Enabling_OWA_2003.html

    I followed the above link to the letter. I am wondering if maybe I should have been putting in the address of the Domain Controller.  When I try for the Exchange server, it says, not available, or busy.

    Any help would be much appreciated . Thanks!

    Saturday, June 22, 2013 11:11 PM
  • Here is a small blog for Troubleshooting PKI

    http://blogs.technet.com/b/pki/archive/2011/02/28/quick-check-on-adcs-health-using-enterprise-pki-tool-pkiview.aspx

    and here is the White paper for the web enrollement service

    http://www.microsoft.com/en-us/download/details.aspx?id=1746

    Fo higher security I allways use https for my PKI Services


    regards Holger Technical Specialist UC

    Sunday, June 23, 2013 7:42 AM
  • Hey all, i was able to fix it by doing 2 things.

    1) create the new domain cert under as described by Joner29 above

    2) use the following URL: Https://<server ip>/certsrv/default.asp

    i am sure there is a way to tell IIS to do the redirect but i am not really trying to learn IIS, just trying to download my CRL :)

    Tuesday, July 02, 2013 2:40 PM
  • Hi,

    under windows server 2012, I have met the same mistake : the certsrv site was correctly installed ( created in IIS Application), but at first time not accessible from the Domain Controller. In the same domain, from another host, I was able to access to certsrv website using http://<<domaincontrollername>>/certsrv. I return on my Domain controller where ADCS was installed (only the 2 features CA and CA Enrollment) and in the browser I have trusted the url http://localhost and it works fine.

    So, in conclusion, you have only to trust your url in the host of ADCS

    Enjoy

    Hassan Boutougha,;-)

    • Proposed as answer by Kamondi Tamás Tuesday, December 23, 2014 4:01 PM
    Sunday, January 05, 2014 10:01 AM
  • Thanks very much for that Rexif - you're an absolute genius.

    I was completely scratching my head why I couldn't get something that should be so simple to work. Your comment resolved my situation. This was for AD CS CA Web Enrollment on Windows 2008R2 SP1. Thanks again.

    Sunday, May 25, 2014 6:56 PM
  • Hi,

    Thank you!
    Your mentioned workaround is working, I've just added https://localhost as Trusted site in IE and it's working fine! :-)

    Regards, Tamás

    Tuesday, December 23, 2014 3:58 PM
  • Hi,

    You should probably look into going into you IIS Manager and under features double click Directory Browsing and under actions select "Enable"

    Then you can go into a web browser and type http://loaclhost/certsrv and should be able to request the cert.


    Friday, February 06, 2015 7:19 PM
  • This was where i was missing the feature. the certsrv directory was not even created until I installed the web features. 

    Wednesday, October 21, 2015 2:16 AM
  • This was where i was missing the feature. the certsrv directory was not even created until I installed the web features. 

    yes, you are right. i installed AD CS Certificate Enrollment Web Service and got this error.
    then i deleted this feature and install another: Certification Authority Web Enrollment - all fine!

    Saturday, December 26, 2015 2:16 PM
  • After Installing CA and CA web enrollment I had to configure the services from server manager -->AD CS.

    After configuring I was able to open using http:/localhost/certsvr but not using https.I had to do binding for https from IIS.

    This worked.

    Saturday, February 27, 2016 12:34 AM
  • 1. Ensure you're on the correct CA server:
    run certutil -dump or certutil -ca to show the CA server name

    2. Check the URL listed in IIS on that CA server - it may be setup differently to the default:

    Friday, November 03, 2017 12:03 AM
  • Check where your certsrv scripts are located (c:\inetpub\wwwroot or subfolder or in c:\windows\system32\certsrv or c:\windows\system32\certsrv\en-us which was in our case.

    It only worked correcting the Virtual Directory Certsrv, Advanced Settings where the Physical Path is mentioned. In our case the pages/scripts were under c:\windows\system32\certsrv\en-us

    Then launch http://<your FQDN of your CertAuth>/certsrv

    Wednesday, January 17, 2018 1:34 PM
  • Thanks!

    I follow your steb and have been fix the issue :)

    Tuesday, April 03, 2018 10:57 AM