I've renewed the Issuing CA certificate with existing key pair, using this article as reference: http://social.technet.microsoft.com/wiki/contents/articles/root-ca-certificate-renewal.aspx After the renewal, enterprise PKI reports status "Unable to download" for AIA location #2 and #3 All other locationd (CDP and DeltaCRL) locations are fine. AIA location #2 http://pki.domain.com/ref/REFCMNCA03.refdomain.net_Corp%20REF%20Corporate%20Issuing%20CA1(1).crt AIA location #3 http://refcmnca03.refdomain.net/CertEnroll/REFCMNCA03.refdomain.net_Corp%20REF%20Corporate%20Issuing%20CA1(1).crt Both AIA location can be copied/ pased into Internet Explorer address firl on the issuing CA, when pressing enter I´m prompted to save the file. This means that the AIA locations are reachable, but why does enterprise PKI report "unable to download"? Windows Server 2008 Enterprise Edition (Microsoft Windows NT 6.0.6001 Service Pack 1) Thanks! www.twitter.com/danielullmark

have you tried to examine downloaded certificates? It may be that these are wrong certificates.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Looking at the download certificates using AIA 2# and #3 location, they are valdid from: 2011-11-14 to 2016-11-14 and are issued from the correct CA. In the Certification authority snapin, I right click my issuing CA and select properties. In the general tab I can see two CA certificates, Ceritifacte #0 and certificate #1 Certificate #1 is valid 2011-11-14 to 2016-11-14, corresponding with the certificates in AIA location #2 and #3 How can I verify this further? Best regards, Danielwww.twitter.com/danielullmark

Hi from the Issuing CA can you run pkiview.msc ... that will give you a good over view of the deployment and CDP/AIA paths. Share the screen shot if you can.Blog Link: http://blogs.cyquent.ae | Follow us on Twitter: @cyquent | ADRMS Wiki Portal: Technet Wiki

Looking at the download certificates using AIA 2# and #3 location, they are valdid from: 2011-11-14 to 2016-11-14 and are issued from the correct CA. In the Certification authority snapin, I right click my issuing CA and select properties. In the general tab I can see two CA certificates, Ceritifacte #0 and certificate #1 Certificate #1 is valid 2011-11-14 to 2016-11-14, corresponding with the certificates in AIA location #2 and #3 I just tried to stop the CA service, delete (1).crt in C:\Windows\System32\certsrv\CertEnroll. Started the service again and verified that the timestamp of the file is correct. Still "Unable to download" for AIA location #2 and #3 The location http URL of AIA #2 and #3 is also used by CRL and Deltta CRL and Enteprise PKY say that they are ok. How can I verify this further? Best regards, Daniel www.twitter.com/danielullmark

Hi Adam, I rebooted the issuing CA, after that Enterprise PKI mmc snapin (pkivew.msc) reports no errors at all. Amazing that a reboot is required, both AIA with status "unable to download" were on HTTP. one on the same server as the CA service and the other on an external web site. So reboot is the solution, stunned. Best regards, Daniel www.twitter.com/danielullmark