I think i have a strange problem. My enterprise CA seems to run fine, although it does give a CRL offline error sometimes. When I run PKIView, it can access the http CRL but not the ldap ones (using default location). However, if I right click on "Enterprise PKI", select AD containers, select CDP container, i can see all the CRLs and can view them. Running server 008 dc. I exported a certificate it created and ran it through certutil. output below. the cdp and aia containers exist in adsiedit/adss. I uninstalled the CA and reinstalled, no difference. any ideas (other than fresh install) would be greatly appreciated... Issuer: CN=zat-CA1 DC=zat DC=com Subject: CN=2008server1.zat.com Cert Serial Number: 618d348f000600000061 dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000) dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000) ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000) HCCE_LOCAL_MACHINE CERT_CHAIN_POLICY_BASE -------- CERT_CHAIN_CONTEXT -------- ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ChainContext.dwRevocationFreshnessTime: 37 Minutes, 34 Seconds SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) SimpleChain.dwRevocationFreshnessTime: 37 Minutes, 34 Seconds CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0 Issuer: CN=zat-CA1, DC=zat, DC=com NotBefore: 29/04/2009 9:15 PM NotAfter: 29/04/2010 9:15 PM Subject: CN=2008server1.zat.com Serial: 618d348f000600000061 SubjectAltName: Other Name:DS Object Guid=04 10 1b 62 f0 13 ff 55 10 42 aa 5a 78 b5 3a 25 22 84, DNS Name=2008server1.zat.com Template: DomainController 2f f7 50 4f 31 5f cc d8 93 a2 73 91 ad 2d 7f 12 7d c8 ca 66 Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ---------------- Certificate AIA ---------------- Failed "AIA" Time: 0 Error retrieving URL: The system cannot open the device or file specified. 0x8007006e (WIN32/HTTP: 110) ldap:///CN=zat-CA1,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=zat,DC=com?cACertificate?base?objectClass=certificationAuthority ---------------- Certificate CDP ---------------- Verified "Base CRL (45)" Time: 0 [0.0] http://2008server1.zat.com/CertEnroll/zat-CA1(6).crl Verified "Delta CRL (45)" Time: 0 [0.0.0] http://2008server1.zat.com/CertEnroll/zat-CA1(6)+.crl Failed "CDP" Time: 0 Error retrieving URL: The system cannot open the device or file specified. 0x8007006e (WIN32/HTTP: 110) [0.1.0] ldap:///CN=zat-CA1(6),CN=2008server1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=zat,DC=com?deltaRevocationList?base?objectClass=cRLDistributionPoint Failed "CDP" Time: 0 Error retrieving URL: The system cannot open the device or file specified. 0x8007006e (WIN32/HTTP: 110) ldap:///CN=zat-CA1(6),CN=2008server1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=zat,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint ---------------- Base CRL CDP ---------------- OK "Delta CRL (45)" Time: 0 [0.0] http://2008server1.zat.com/CertEnroll/zat-CA1(6)+.crl Failed "CDP" Time: 0 Error retrieving URL: The system cannot open the device or file specified. 0x8007006e (WIN32/HTTP: 110) ldap:///CN=zat-CA1(6),CN=2008server1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=zat,DC=com?deltaRevocationList?base?objectClass=cRLDistributionPoint ---------------- Certificate OCSP ---------------- No URLs "None" Time: 0 -------------------------------- CRL 45: Issuer: CN=zat-CA1, DC=zat, DC=com 0a 79 25 f6 35 bc 99 ea e8 94 ce 22 c6 92 7a a1 ae ec aa cd Delta CRL 45: Issuer: CN=zat-CA1, DC=zat, DC=com 04 07 b1 13 cc 97 50 04 56 80 4c b4 3e 3c 15 bd 9f 12 95 f7 Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0 Issuer: CN=zat-CA1, DC=zat, DC=com NotBefore: 29/04/2009 8:13 PM NotAfter: 29/04/2014 8:23 PM Subject: CN=zat-CA1, DC=zat, DC=com Serial: 7f6e5d7070950ca84e844a0d85f1b18f Template: CA 51 84 31 30 03 2d fa 19 45 3f 92 ac e4 8c 2f 35 4a 1c ec 71 Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4) Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ---------------- Certificate AIA ---------------- No URLs "None" Time: 0 ---------------- Certificate CDP ---------------- No URLs "None" Time: 0 ---------------- Certificate OCSP ---------------- No URLs "None" Time: 0 -------------------------------- Exclude leaf cert: ad 90 cc 0a df 07 b9 a2 2b 21 d7 52 ba 92 03 01 ef 70 96 4a Full chain: bf 51 aa e9 51 65 32 42 39 0c 97 32 6d ea fe 27 f8 54 41 9f ------------------------------------ Verified Issuance Policies: None Verified Application Policies: 1.3.6.1.5.5.7.3.2 Client Authentication 1.3.6.1.5.5.7.3.1 Server Authentication Leaf certificate revocation check passed CertUtil: -verify command completed successfully.

Hi, This issue may be caused by corrupt date stored in AD. Open ADSIEDIT.MSC, connect to Configuration partition, navigate to CN=Public Key Services,CN=Services,CN=Configuration,DC=Domain,DC=com. Check CN = 2008server1 under CN=CDP and CN=AIA. If there is any error or abnormal behavior, please let us know. Try to run the following commands to collect information for research. ldifde f KI.txt d "CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=Domain,DC=com" p subtree ldifde f PKI.txt d "CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC= Domain,DC=com" p subtree Note: Replcate DC= Domain,DC=com accordingly. Please use Windows Live SkyDrive (http://www.skydrive.live.com/) to upload the file and then give me the download address. Thanks. This posting is provided "AS IS" with no warranties, and confers no rights.

yes there is probably some corruption somewhere - i just cant figure out where.i havent used skydrive before, so hope it works http://cid-27c67029fca14da6.skydrive.live.com/self.aspx/PKI%20Problemthe machine is virtualised i restored a snapshot since the original post, but the error's still there and the files on skydrive are current.when i tried uninstalling/re-installing, i wiped stuff from the containers in ADSS.Anyway if you have any ideas on how to remove any corruption i'll give it a try.got another ca in another forest its working fine if thats any helpthanks for your time.

Hi, Thank you for update. Based on my test, TAZ-CA1(1)- TAZ-CA1(5) should not appear in Adsi Edit. How did you did "when i tried uninstalling/re-installing, i wiped stuff from the containers in ADSS"? Please let us know the detailed steps. Also, please capture a screenshot of the CA Properties: Open CA console, right-click TAZ-CA1(5), choose Properties, switch to Extensions tab, choose "ldap:///." In the CRL list. Capture a screenshot and upload to SkyDrive. Thanks. This posting is provided "AS IS" with no warranties, and confers no rights.

hi mervyn, the crl publishes ok no errors. here are the steps i took. screenshots at http://cid-27c67029fca14da6.skydrive.live.com/browse.aspx/PKI2?authkey=p2KsIbDCvLY%24 i just uninstalled-reinstalled. check out the bit in bold at the end on re-installing, especially the access denied error. 1/ certutil -shutdown 2/ certutil -key C:\Users\Administrator>certutil -key Microsoft Strong Cryptographic Provider: le-DomainControllerAuthentication-70bbce24-84a0-4a96-ae7d-214322198916 0204d6dc1aef68b82a75ca9e82e3571b_82c9b055-d375-4e08-94c0-12ba1b223d65 AT_KEYEXCHANGE *** could not find any root certificate key to delete 3/ remove CA role (remove tick from CA) and restart computer 4/ ADSS, expand services public key services\aia - wipe everything public key services\cdp - wipe everything public key services\certificate authorities - wipe everything public key services\enrolment services - wipe everything public key services\kra - wipe everything 5/ C:\Users\Administrator>ldifde -r "cn=taz-ca1" -d "CN=Public KeyServices,CN=Services,CN=Configuration,DC=taz,DC=com" -f output.ldf Connecting to "2008server1.taz.com" Logging in as current user using SSPI Exporting directory to file output.ldf Searching for entries... Writing out entries No Entries found The command has completed successfully 6/ certutil store -? | findstr "CN=NTAuth" (showed nothing) 7/ del %systemroot%\System32\Certlog 8/ C:\Users\Administrator>certutil -ds taz-ca1 CertUtil: -ds command completed successfully. 9/ C:\Users\Administrator>certutil -ds 2008server1 CertUtil: -ds command completed successfully. 10/C:\Users\Administrator>certutil -ds -v NtAuthCertificates CN=Public Key Services,CN=Services,CN=Configuration,DC=taz,DC=com: NTAuthCertificates objectClass Element 0: "top" Element 1: "certificationAuthority" cn = "NTAuthCertificates" cACertificate Element 0: 920 Bytes .... some bits cut out .... ================ Certificate 5 ================ Serial Number: 32041c93f735a9435f643880a0bb2f Issuer: CN=Taz-CA1, DC=taz, DC=com NotBefore: 16/02/2009 6:58 PM NotAfter: 16/02/2014 7:08 PM Subject: CN=Taz-CA1, DC=taz, DC=com Certificate Template Name (Certificate Type): CA CA Version: V0.0 Signature matches Public Key Root Certificate: Subject matches Issuer Template: CA, Root Certification Authority Cert Hash(sha1): 86 70 44 65 d9 1c 65 de 15 40 bc 42 3d a5 b1 26 7b 3a b7 f5 authorityRevocationList = EMPTY certificateRevocationList = EMPTY distinguishedName = "CN=NTAuthCertificates,CN=Public Key Services,CN=Service s,CN=Configuration,DC=taz,DC=com" instanceType = "4" whenCreated = "20081127013718.0Z" 27/11/2008 11:37 AM whenChanged = "20090430121040.0Z" 30/04/2009 10:10 PM uSNCreated = "7584" 0x1da0 uSNChanged = "241923" 0x3b103 showInAdvancedViewOnly = "TRUE" name = "NTAuthCertificates" objectGUID = 40cc4255-2bee-4e5a-a18f-6aa7063a89b1 objectCategory = "CN=Certification-Authority,CN=Schema,CN=Configuration,DC=t az,DC=com" dSCorePropagationData = "16010101000000.0Z" EMPTY nTSecurityDescriptor = Allow TAZ\Domain Admins Full Control Allow TAZ\Enterprise Admins Full Control Allow BUILTIN\Administrators Full Control Allow Everyone Read Allow TAZ\Enterprise Admins Full Control Allow TAZ\Domain Admins Full Control 11/ C:\Users\Administrator>certutil -viewdelstore "ldap:///CN=NtAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=taz,DC=com?base?cACertificate" ldap:///CN=NtAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=taz,DC=com?cACertificate?base CertUtil: -viewdelstore command FAILED: 0x80070005 (WIN32: 5) CertUtil: Access is denied. ******** access denied??? Am logged in as enterprise admin, and enterprise admin has full control on NTAuthCertificates (according to adsiedit) 12/ certutil -viewdelstore DEL all certificates issued to Taz-CA1 13/ regsvr32 /i:i /n /s certcli.dll 14/ run certificates mmc for local computer, wipe all certificates in personal computer store, all taz-ca1 certificates in trusted root ca, intermediate ca, kra/certificates and enrolment requests ================================================= 1/ install CA role, using same name taz-ca1 * enterprise CA, root, default key (2048), + web enrolment service role * pkiview, delete old "untrusted root" certificates from NTAuthCerticates (AD Containers), leaving new one only. (still shows errors on ldap CRL but not http) 2/ gpupdate /force 3/ Checked event viewier - 1 warning: Active Directory Certificate Services added the root certificate of certificate chain 0 to the downloaded Trusted Root Certification Authorities Enterprise store on the CA computer. This store will be updated from the Certification Authorities container in Active Directory the next time Group Policy is applied. To verify that the CA certificate is published correctly in Active Directory, run the following command: certutil -viewstore "ldap:///CN=taz-CA1,CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=taz,DC=com?cACertificate?base?objectClass=certificationAuthority" (you must include the quotation marks when you run this command). If the root CA certificate is not present, use the Certificates console on the root CA computer to export the certificate to a file, and then run the following command to publish it to Active Directory: Certutil -dspublish %certificatefilename% Root. 4/ C:\Users\Administrator>certutil -viewstore "ldap:///CN=taz-CA1,CN=CertificationAuthorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=taz,DC=com?cACertificate?base?objectClass=certificationAuthority" ldap:///CN=taz-CA1,CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=taz,DC=com?cACertificate?base?objectClass=certificationAuthority CertUtil: -viewstore command FAILED: 0x8007006e (WIN32/HTTP: 110) CertUtil: The system cannot open the device or file specified. 5/ export root ca, then C:\Users\Administrator>Certutil -dspublish c:\root.cer ldap:///CN=taz-CA1,CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=taz,DC=com?cACertificate Certificate already in DS store. ldap:///CN=taz-CA1,CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=taz,DC=com?cACertificate Certificate already in DS store. CertUtil: -dsPublish command completed successfully.

Hi, It seems you shouldnt delete "public key services\aia" and other subtree under "public key services". After deleting them, there is error when trying to reinstall my testing CA role. It may take a long time to find the root cause of this issue, I suggest you dont delete them when uninstalling. Just stop the service, uninstall/reinstall the role. Thanks. This posting is provided "AS IS" with no warranties, and confers no rights.

Just to clarify, i didnt actually delete the containers, just the contents. But will follow your suggestion of leaving them alone. On the weekend I think i might create an enterprise CA on another DC to see if its a certificate issue/ad issue or a security access problem. thanks

Hi Mervyn,Just to throw a spanner in the works, whilst i get errors on pkiview on 2008server1, if I run it from nps1 (which at one stage had a standalone subordinate for ipsec nap), pkiview is able to get the ldap crls. http://cid-27c67029fca14da6.skydrive.live.com/browse.aspx/pkiview%20screenshots?authkey=nq7SmO9*ito%24 pkiview1.jpg is from nps1. (the error on taz-nps1-ca is because the root/subordinate trust is broken; that's ok). BUT it shows full access to CRLs.pkiview2.jpg is from 2008server1. when run here, is unable to access CRLs through ldap.The CA certificate on both computers shows the same thumbprint.weird.....