Certificate Services problem
Hi,In pkiview for my issuing CA it shows that the AIA and CRL http locations are status = "unable to download" -- the ldap locations are OKin the server event logs i can see the following:certsvc event id 86: Certificate Services could not use the provider specified in the registry for encryption keys. Keyset does not exist 0x80090016 (-2146893802)certsvc event id 87: Certificate Services could not use the default provider for encryption keys. Keyset does not exist 0x80090016 (-2146893802)Based on a previous thread i started suspecting an IIS issue, but ssl is not enabled on the certenroll folder... im kinda stumped. any help is appreciated.
October 2nd, 2009 3:38pm
These are two separate issues:1) If it states you cannot download, have you tested downloading the files. it is either the case that the URL is incorrect, the CRL and CA certificate are not copied to the referenced location, or the CA requires that its proxy be set. (the machine account is used in PKIView and will require proxy access if you use a proxy server.2) The key set issues sound like an incorrectly configured HSM or something wrong with the acquistion of the CA Exchange certificateBrian
Free Windows Admin Tool Kit Click here and download it now
October 3rd, 2009 2:54am
Odd ... It defenatly has something to do with security, after a bit af research.This posting is provided "AS IS" with no warranties, and confers no rights.
October 3rd, 2009 5:54am
Hi,Try this: http://support.microsoft.com/kb/908572/en-usSeems to be your problem.good luck!
Free Windows Admin Tool Kit Click here and download it now
October 5th, 2009 11:17am
Brian - The URL appears to be correct. We do have a proxy server -- i dont see in pkiview a place to configure any proxy specific settings, so are you saying that the proxy server itself needs to be configured to authenticate the machine acct?Chucky07 - already tried that, to no avail.
October 5th, 2009 3:16pm
Try proxycfg.exe (windows 2003) or netsh winhttp set proxy (windows 2008) in order to configure proxy.Best regardsMartin Rublik
Free Windows Admin Tool Kit Click here and download it now
October 5th, 2009 3:42pm
Thanks for everyones inputi fixed the problems... they were 2 separate issues...1) needed to manually copy the root ca crl to the issuing ca2) gpo was setting "Deny access to this computer from the network" and the IIS anonymous acct was being affected by virtue of its group membershipthanks again
October 5th, 2009 10:33pm


