Here is my problem. I have standalone root ca and subordinate enterprise ca which is on 2008 r2. I have computer certificate issued to netbook which is in separate network and which is not in the domain. This certificate contains three AIA locations - first is ldap, second is internal http server and third is external http server. Only external http server is accessible for this netbook. So the problem is when I try to open certificate through certificates snapin, I can see that windows can't verify this certificate. I launched sniffer and saw that when I try to open this certificate - there are only few syn packets sent to our internal http and that is all. I can't see any packets coming to neither ldap nor external http. So naturally windows are not able to verify certificate. So my question is why is that? Why there are no attempts to download CA certificate from other AIA locations? netbook is with windows 7.

Hi, To better understand the issue, please export the certificate to a .cer file (c:\certificate.cer, for example) and run certutil -verify -urlfetch against the .cer file on the netbook. For example, certutil -verify -urlfetch c:\certificate.cer Thanks.This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, Any update? If there is anything unclear, please feel free to respond back. Thanks.This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Is CRL/OCSP checking working fine? AIA is made for trust distribution, not for certificate authentication validation. That’s what CRL’s and OCSP are for. ;)// Fredrik "DXter" Jonsson - http://www.poweradmin.se