I have setup a PKI based on Win2k8R2 in my testenvironment. It is a 2-tier setup using an offline root and enterprise subordinate (ROOTCA and SUBCA) . I used this doc for setting it up: http://blogs.technet.com/b/askds/archive/2009/09/01/designing-and-implementing-a-pki-part-i-design-and-planning.aspx the initials deployment is ok, now I am trying some operational tasks to understand how it works. I am renewing the Root CA certificate. using guide: http://technet.microsoft.com/en-us/library/cc780374(WS.10).aspx After doing so, the are some more .crt and .crl files created: ROOTCA_ROOTCA(0-1).crt ROOTCA_ROOTCA(1-0).crt ROOTCA_ROOTCA(1).crt And:ROOTCA(1).crl I imported ROOTCA(1).crl and ROOTCA(1).crt in AD, using Certutil on the SUBCA. When I open PKIView on the SubCa, the AIA location is in error. The path taken from PKIView:CN=ROOTCA(1),.... Error: Unable to download When I look in Adsiedit, the path does not exist. Only ROOTCA is there, without (1) I would think that publishing the new crt and crl would create the ROOTCA(1) entry under AIA, but seems not to be created. The CDP location is ok, point to CN=ROOTCA(1),.... Thanks for any help.

publish the following files to AD: certutil -f -dspublish ROOTCA_ROOTCA(1).crt RootCA certutil -f -dspublish ROOTCA_ROOTCA(0-1).crt CrossCA certutil -f -dspublish ROOTCA_ROOTCA(1-0).crt CrossCAMy weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Did that, still the same problem. PKIVIEW shows Red on AIA Path for ROOTCA. Under "Manage AD Containers", TAB "AIA Container in PKI View, now there are: - 2 Cross Certificates ROOTCA and ROOTCA(1) - 1 ROOTCA AIA Certificate - 1 ROOTCA(1) AIA certificate - 1 ROOTCA(2) AIA certificate Any more suggestions? Thanks

did you try all the steps on the doc?

I imported ROOTCA(1).crl and ROOTCA(1).crt in AD, using Certutil on the SUBCA. When I open PKIView on the SubCa, the AIA location is in error. The path taken from PKIView:CN=ROOTCA(1),.... Error: Unable to download When I look in Adsiedit, the path does not exist. Only ROOTCA is there, without (1) Can you dump the AIA configured om your CA using the command: certutil -getreg ca\cacertpublicationurls What syntax did you use when importing the CA certificate using certutil -dspublish? /Hasain

Did that, still the same problem. PKIVIEW shows Red on AIA Path for ROOTCA. Under "Manage AD Containers", TAB "AIA Container in PKI View, now there are: - 2 Cross Certificates ROOTCA and ROOTCA(1) - 1 ROOTCA AIA Certificate - 1 ROOTCA(1) AIA certificate - 1 ROOTCA(2) AIA certificate Any more suggestions? Thanks can you show us output of this command: certutil -getreg CA\CACertPublicationURLs My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Hi Marzzie, Is there any update on this problem? If so, please feel free to let us know.

I had to reinstall the testenvironment. Did not yet have time to re-setup the environment. I think it would be best to close this thread for now. I'll try again later