Renew RootCA Cert, AIA location error
I have setup a PKI based on Win2k8R2 in my testenvironment. It is a 2-tier setup using an offline root and enterprise subordinate (ROOTCA and SUBCA) . I used this doc for setting it up:
http://blogs.technet.com/b/askds/archive/2009/09/01/designing-and-implementing-a-pki-part-i-design-and-planning.aspx
the initials deployment is ok, now I am trying some operational tasks to understand how it works.
I am renewing the Root CA certificate. using guide:
http://technet.microsoft.com/en-us/library/cc780374(WS.10).aspx
After doing so, the are some more .crt and .crl files created:
ROOTCA_ROOTCA(0-1).crt
ROOTCA_ROOTCA(1-0).crt
ROOTCA_ROOTCA(1).crt
And:ROOTCA(1).crl
I imported ROOTCA(1).crl and ROOTCA(1).crt in AD, using Certutil on the SUBCA.
When I open PKIView on the SubCa, the AIA location is in error.
The path taken from PKIView:CN=ROOTCA(1),.... Error: Unable to download
When I look in Adsiedit, the path does not exist. Only ROOTCA is there, without (1)
I would think that publishing the new crt and crl would create the ROOTCA(1) entry under AIA, but seems not to be created.
The CDP location is ok, point to CN=ROOTCA(1),....
Thanks for any help.
October 7th, 2011 4:20am
publish the following files to AD:
certutil -f -dspublish ROOTCA_ROOTCA(1).crt RootCA
certutil -f -dspublish ROOTCA_ROOTCA(0-1).crt CrossCA
certutil -f -dspublish ROOTCA_ROOTCA(1-0).crt CrossCAMy weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
Free Windows Admin Tool Kit Click here and download it now
October 7th, 2011 6:11am
Did that, still the same problem. PKIVIEW shows Red on AIA Path for ROOTCA.
Under "Manage AD Containers", TAB "AIA Container in PKI View, now there are:
- 2 Cross Certificates ROOTCA and ROOTCA(1)
- 1 ROOTCA AIA Certificate
- 1 ROOTCA(1) AIA certificate
- 1 ROOTCA(2) AIA certificate
Any more suggestions?
Thanks
October 7th, 2011 7:46am
did you try all the steps on the doc?
Free Windows Admin Tool Kit Click here and download it now
October 12th, 2011 4:03am
I imported ROOTCA(1).crl and ROOTCA(1).crt in AD, using Certutil on the SUBCA.
When I open PKIView on the SubCa, the AIA location is in error.
The path taken from PKIView:CN=ROOTCA(1),.... Error: Unable to download
When I look in Adsiedit, the path does not exist. Only ROOTCA is there, without (1)
Can you dump the AIA configured om your CA using the command:
certutil -getreg ca\cacertpublicationurls
What syntax did you use when importing the CA certificate using certutil -dspublish?
/Hasain
October 12th, 2011 4:25am
Did that, still the same problem. PKIVIEW shows Red on AIA Path for ROOTCA.
Under "Manage AD Containers", TAB "AIA Container in PKI View, now there are:
- 2 Cross Certificates ROOTCA and ROOTCA(1)
- 1 ROOTCA AIA Certificate
- 1 ROOTCA(1) AIA certificate
- 1 ROOTCA(2) AIA certificate
Any more suggestions?
Thanks
can you show us output of this command:
certutil -getreg CA\CACertPublicationURLs My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
Free Windows Admin Tool Kit Click here and download it now
October 12th, 2011 4:26am
Hi Marzzie,
Is there any update on this problem? If so, please feel free to let us know.
October 14th, 2011 4:45am
I had to reinstall the testenvironment. Did not yet have time to re-setup the environment. I think it would be best to close this thread for now. I'll try again later
Free Windows Admin Tool Kit Click here and download it now
October 17th, 2011 3:33am