Hey Guys, I'm setting up a 2008 PKI with an offline root and an online enterprise CA. I've pretty much got it working but I'm having one last problem. I'm verifying the setup with the pkiview.msc tool and its giving me the error: AIA Location #2 Unable to Download http://server.domain.com/CertEnroll/xxx.crt The ldap AIA location is fine. When i take a look at the filesystem where the AIA extension is set to write it hasn't created any files: C:\>certutil -getreg CA\CACertPublicationURLs HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\ Issuing Certificate Authority\CACertPublicationURLs: CACertPublicationURLs REG_MULTI_SZ = 0: 3:ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11 CSURL_SERVERPUBLISH -- 1 CSURL_ADDTOCERTCDP -- 2 1: 0:D:\Certificates\AIA\%1_%3_%4.crt 2: 2:http://aia.domain.com/CertEnroll/%1_%3_%4.crt CSURL_ADDTOCERTCDP -- 2 3: 0:file://aia.domain.com/CertEnroll/%1_%3_%4.crt CertUtil: -getreg command completed successfully.

Your problem is that for the two locations where you want to publish the CRT file is that you've told it not to publish. You need to change 1 and 3 to: 1: 1:D:\Certificates\AIA\%1_%3_%4.crt3: 1:file://aia.domain.com/CertEnroll/%1_%3_%4.crtPaul Adare CTO IdentIT Inc. ILM MVP

Paul, I having the same issue with (AIA Location #2 / DeltaCRL Location #2 /CDP Location #2 ) Unable to Downlaod Here is output when run certutil -getreg CA\CAcertpublicationURLs C:\>certutil -getreg CA\CAcertpublicationURLs HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\DC1\C ACertPublicationURLs: CACertPublicationURLs REG_MULTI_SZ = 0: 1:C:\WINDOWS\system32\CertSrv\CertEnroll\%1_%3%4.crt CSURL_SERVERPUBLISH -- 1 1: 3:ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11 CSURL_SERVERPUBLISH -- 1 CSURL_ADDTOCERTCDP -- 2 2: 2:http://%1/CertEnroll/%1_%3%4.crt CSURL_ADDTOCERTCDP -- 2 3: 0:file://\\%1\CertEnroll\%1_%3%4.crt CertUtil: -getreg command completed successfully. Can tell me how to fix with detail, much appreciate.MCSE

This is not an AIA extension configuration issue. By default, IIS 7.0 (on server 2008/R2) prevents double-escaping in URLs. The + character in the delta CRL is considered double-escpaing. Follow the steps in the following URL to fix http://blogs.technet.com/b/pki/archive/2008/02/25/how-to-avoid-delta-crl-download-errors-on-windows-server-2008-with-iis7.aspx Brian

Brian, appcmd doesn't work here is error C:\Windows\System32\inetsrv>appcmd set config "Default Web Site/PKI" -section:sy stem.webServer/security/requestFiltering -allowDoubleEscaping:true Applied configuration changes to section "system.webServer/security/requestFilte ring" for "MACHINE/WEBROOT/APPHOST/Default Web Site/PKI" at configuration commit path "MACHINE/WEBROOT/APPHOST/Default Web Site/PKI" ERROR ( hresult:80070003, message:Failed to commit configuration changes. The system cannot find the path specified. ) It-admin MCSE