Do you see the certsvc virtual directory in IIS-Manager?

If not, did you install ADCS-Webservices?

I think you don't use a proxy, am I right?

Do you see the certsvc virtual directory in IIS-Manager?

If not, did you install ADCS-Webservices?

I think you don't use a proxy, am I right?

• Proposed as answer by kkaushal17 Wednesday, July 11, 2012 9:46 AM

Do you see the certsvc virtual directory in IIS-Manager?

If not, did you install ADCS-Webservices?

I think you don't use a proxy, am I right?

• Proposed as answer by kkaushal17 Wednesday, July 11, 2012 9:46 AM

Hello,

is the default web service started? Maybe another site use the same port as the default web service, so the site was stopped. So you have to change the port or temporary deactivate the other site

Hi,

Any updates on this issue?

Have you verified the settings as mentioned above?

Regards,

Hello,

I'm having the same problem. I have also tried uninstalling/reinstalling both the CA and IIS. In anwser to the question above, I see the virtual directory /CertEnroll only. When I tried to add /CertSrv I get an error "....already exists..." Initially I thought the problem was related to the domain controllers certificate, since regardless of how I try, I can't create the certificate without having the computer name in the subject ie CN=myserver.csptest.testdomain.com, as apposed to CN=csptest.testdomain.com. Attempts to influnce the name have no effect. According to the documentation the complete name must appear in either Subject Alternate or Subject but adding Subject:CN=csptest.testdomain.com; Subject Alternate:myserver.csptest.testdomain.com will still create a certificate that as the computer dns name.

I can't access the CA's web pages using http://csptest.testdomain.com/CertSrv yields access forbidden the https://csptest.testdomain.com/CertSrv yields the error "....the pages cannot be displayed..."

I have verified that the CA is working. I can access all http pages and issue certificates. But I cannot access the CA using the web pages nor can I access any other secure site using https.

Can someone help me?

Regards,

Robert

Might be obvious but did you install the "Certificate Authority Web Enrollment" role service together with the CA?

Hi ll,

I have the same issue. This is a test environment, fresh build from scratch.

All Servers are 2008R2 SP1

ALL Clients are Win7 Ultimate SP1

All are fully patched with all updates.

Installed the CA role and web Enrollment.

I cannot access the HTTPS version of the site from IIS, can only access the HTTP version. I'm stumped.

Any assistance greatly appreciated

Cheers

***UPDATE***

I found the solution (In my case at least)

On the Cert Server:

Go to IIS and make a new request for a domain certificate as follows:

1. IIS, expand so you can see the server name

2. In the main window, double click on "Server Certificates"

3. In the action pane, click on "Create Domain Certificate"

4. Enter relevant details. Restart IIS and then the HTTPS website will appear in the list of sites to browse within IIS.

What I am not sure of is why this needed to be done. I would have expected this as "a given" through the installation process.

 However, this is a network installed for learning so I guess I am doing just that!

Hope this helps put someone else in the right direction.

Hi ll,

I have the same issue. This is a test environment, fresh build from scratch.

All Servers are 2008R2 SP1

ALL Clients are Win7 Ultimate SP1

All are fully patched with all updates.

Installed the CA role and web Enrollment.

I cannot access the HTTPS version of the site from IIS, can only access the HTTP version. I'm stumped.

Any assistance greatly appreciated

Cheers

***UPDATE***

I found the solution (In my case at least)

On the Cert Server:

Go to IIS and make a new request for a domain certificate as follows:

1. IIS, expand so you can see the server name

2. In the main window, double click on "Server Certificates"

3. In the action pane, click on "Create Domain Certificate"

4. Enter relevant details. Restart IIS and then the HTTPS website will appear in the list of sites to browse within IIS.

What I am not sure of is why this needed to be done. I would have expected this as "a given" through the installation process.

 However, this is a network installed for learning so I guess I am doing just that!

Hope this helps put someone else in the right direction.

• Edited by Joner39 Wednesday, January 11, 2012 1:56 PM More Information

Hi ll,

I have the same issue. This is a test environment, fresh build from scratch.

All Servers are 2008R2 SP1

ALL Clients are Win7 Ultimate SP1

All are fully patched with all updates.

Installed the CA role and web Enrollment.

I cannot access the HTTPS version of the site from IIS, can only access the HTTP version. I'm stumped.

Any assistance greatly appreciated

Cheers

***UPDATE***

I found the solution (In my case at least)

On the Cert Server:

Go to IIS and make a new request for a domain certificate as follows:

1. IIS, expand so you can see the server name

2. In the main window, double click on "Server Certificates"

3. In the action pane, click on "Create Domain Certificate"

4. Enter relevant details. Restart IIS and then the HTTPS website will appear in the list of sites to browse within IIS.

What I am not sure of is why this needed to be done. I would have expected this as "a given" through the installation process.

 However, this is a network installed for learning so I guess I am doing just that!

Hope this helps put someone else in the right direction.

• Edited by Joner39 Wednesday, January 11, 2012 1:56 PM More Information

Hi All,

  I've had this same issue and the problem was that I had logged in with a local account (<Username> + <Password>).

Assuming you are joined to a domain, to resolve the issue, uninstall your CA role and services, log in with a domain profile instead (ie <Username@domain.com>+<Password>), reinstall CA role and services.

you should now be able to access localhost/certserv to issue your cert.

The key is you must log in with a domain profile to administer domain functions.

Regards,

- Dan

Hi All,

  I've had this same issue and the problem was that I had logged in with a local account (<Username> + <Password>).

Assuming you are joined to a domain, to resolve the issue, uninstall your CA role and services, log in with a domain profile instead (ie <Username@domain.com>+<Password>), reinstall CA role and services.

you should now be able to access localhost/certserv to issue your cert.

The key is you must log in with a domain profile to administer domain functions.

Regards,

- Dan

• Proposed as answer by Dan_L_Hansen Thursday, April 12, 2012 11:40 PM

Hi All,

  I've had this same issue and the problem was that I had logged in with a local account (<Username> + <Password>).

Assuming you are joined to a domain, to resolve the issue, uninstall your CA role and services, log in with a domain profile instead (ie <Username@domain.com>+<Password>), reinstall CA role and services.

you should now be able to access localhost/certserv to issue your cert.

The key is you must log in with a domain profile to administer domain functions.

Regards,

- Dan

• Proposed as answer by Dan_L_Hansen Thursday, April 12, 2012 11:40 PM

Might not be the same problem your having, but I ran into this:

My 2008R2 install puts the code needed for the "Certificate Authority Web Enrollment" service into the "C:\Windows\System32\certsrv\en-US" directory.  So the default URL is http://localhost/CertSrv/en-us not http://localhost/CertSrv.

If you want to make it use the http://localhost/CertSrv, copy all the files from the "en-US" directory to the certserv directory.  Then modify the default.asp file located in the certsrv directory as follows:

Open the file in notepad, and find the line at the top that looks like this: <!-- #include FILE="..\certdat.inc" -->

edit that line to make it look like this: <!-- #include FILE="certdat.inc" -->

Your just changing the relative path where IIS looks for the certdat.inc file.  It exists in the certsrv directory, so you have to tell IIS to look in its current directory rather than the one above it.

this worked for me.  Hope it helps you.

Might not be the same problem your having, but I ran into this:

My 2008R2 install puts the code needed for the "Certificate Authority Web Enrollment" service into the "C:\Windows\System32\certsrv\en-US" directory.  So the default URL is http://localhost/CertSrv/en-us not http://localhost/CertSrv.

If you want to make it use the http://localhost/CertSrv, copy all the files from the "en-US" directory to the certserv directory.  Then modify the default.asp file located in the certsrv directory as follows:

Open the file in notepad, and find the line at the top that looks like this: <!-- #include FILE="..\certdat.inc" -->

edit that line to make it look like this: <!-- #include FILE="certdat.inc" -->

Your just changing the relative path where IIS looks for the certdat.inc file.  It exists in the certsrv directory, so you have to tell IIS to look in its current directory rather than the one above it.

this worked for me.  Hope it helps you.

• Proposed as answer by rexif Friday, May 18, 2012 4:52 PM

Might not be the same problem your having, but I ran into this:

My 2008R2 install puts the code needed for the "Certificate Authority Web Enrollment" service into the "C:\Windows\System32\certsrv\en-US" directory.  So the default URL is http://localhost/CertSrv/en-us not http://localhost/CertSrv.

If you want to make it use the http://localhost/CertSrv, copy all the files from the "en-US" directory to the certserv directory.  Then modify the default.asp file located in the certsrv directory as follows:

Open the file in notepad, and find the line at the top that looks like this: <!-- #include FILE="..\certdat.inc" -->

edit that line to make it look like this: <!-- #include FILE="certdat.inc" -->

Your just changing the relative path where IIS looks for the certdat.inc file.  It exists in the certsrv directory, so you have to tell IIS to look in its current directory rather than the one above it.

this worked for me.  Hope it helps you.

• Proposed as answer by rexif Friday, May 18, 2012 4:52 PM

This may seem a tad simple but I'm currently doing exercise labs on a virtual machine and I was having this very problem. That is until I realized that I was attempting to access http://localhost/certsrv on the client computer instead of the Server machine. After switching to the Server it brought up the certificate host no problem.

I realize this was posted almost a month ago but if anyone else has this issue and comes here make sure you are on the server or domain controller when attempting to access the certsrv.

I realize this is an old forum, but I had the same issue and finally figured out the problem. I needed to create a self-signed certificate and bind the ssl port (443) to the new self-signed certificate rather than binding it to the CA Root Certificate. Both links below describe the fix. Hope this helps others and have a great Sys Admin Day!!

http://blogs.msdn.com/b/rakkimk/archive/2007/05/25/iis-7-how-to-configure-a-website-for-https.aspx

http://learn.iis.net/page.aspx/144/how-to-set-up-ssl-on-iis/

I realize this is an old forum, but I had the same issue and finally figured out the problem. I needed to create a self-signed certificate and bind the ssl port (443) to the new self-signed certificate rather than binding it to the CA Root Certificate. Both links below describe the fix. Hope this helps others and have a great Sys Admin Day!!

http://blogs.msdn.com/b/rakkimk/archive/2007/05/25/iis-7-how-to-configure-a-website-for-https.aspx

http://learn.iis.net/page.aspx/144/how-to-set-up-ssl-on-iis/

• Proposed as answer by gathomas72 Wednesday, February 27, 2013 5:44 PM
• Unproposed as answer by gathomas72 Wednesday, February 27, 2013 5:44 PM
• Proposed as answer by gathomas72 Wednesday, February 27, 2013 5:44 PM
• Unproposed as answer by gathomas72 Wednesday, February 27, 2013 5:45 PM

I realize this is an old forum, but I had the same issue and finally figured out the problem. I needed to create a self-signed certificate and bind the ssl port (443) to the new self-signed certificate rather than binding it to the CA Root Certificate. Both links below describe the fix. Hope this helps others and have a great Sys Admin Day!!

http://blogs.msdn.com/b/rakkimk/archive/2007/05/25/iis-7-how-to-configure-a-website-for-https.aspx

http://learn.iis.net/page.aspx/144/how-to-set-up-ssl-on-iis/

• Proposed as answer by gathomas72 Wednesday, February 27, 2013 5:44 PM
• Unproposed as answer by gathomas72 Wednesday, February 27, 2013 5:44 PM
• Proposed as answer by gathomas72 Wednesday, February 27, 2013 5:44 PM
• Unproposed as answer by gathomas72 Wednesday, February 27, 2013 5:45 PM

Have you had any success with your problem? I am having issues with a 2003 Exchange box I am using. I tried to go to http://server/certsrv and it gives me a 404 error. If I use http://server/certsrv, it tells me it is a secure server and needs the https://.

http://www.msexchange.org/articles-tutorials/exchange-server-2003/security-message-hygiene/SSL_Enabling_OWA_2003.html

I followed the above link to the letter. I am wondering if maybe I should have been putting in the address of the Domain Controller.  When I try for the Exchange server, it says, not available, or busy.

Any help would be much appreciated . Thanks!

Here is a small blog for Troubleshooting PKI

http://blogs.technet.com/b/pki/archive/2011/02/28/quick-check-on-adcs-health-using-enterprise-pki-tool-pkiview.aspx

and here is the White paper for the web enrollement service

http://www.microsoft.com/en-us/download/details.aspx?id=1746

Fo higher security I allways use https for my PKI Services

Hey all, i was able to fix it by doing 2 things.

1) create the new domain cert under as described by Joner29 above

2) use the following URL: Https://<server ip>/certsrv/default.asp

i am sure there is a way to tell IIS to do the redirect but i am not really trying to learn IIS, just trying to download my CRL :)

Hi,

under windows server 2012, I have met the same mistake : the certsrv site was correctly installed ( created in IIS Application), but at first time not accessible from the Domain Controller. In the same domain, from another host, I was able to access to certsrv website using http://<<domaincontrollername>>/certsrv. I return on my Domain controller where ADCS was installed (only the 2 features CA and CA Enrollment) and in the browser I have trusted the url http://localhost and it works fine.

So, in conclusion, you have only to trust your url in the host of ADCS

Enjoy

Hassan Boutougha,;-)

• Proposed as answer by Kamondi Tamás Tuesday, December 23, 2014 4:01 PM

Hi,

under windows server 2012, I have met the same mistake : the certsrv site was correctly installed ( created in IIS Application), but at first time not accessible from the Domain Controller. In the same domain, from another host, I was able to access to certsrv website using http://<<domaincontrollername>>/certsrv. I return on my Domain controller where ADCS was installed (only the 2 features CA and CA Enrollment) and in the browser I have trusted the url http://localhost and it works fine.

So, in conclusion, you have only to trust your url in the host of ADCS

Enjoy

Hassan Boutougha,;-)

• Proposed as answer by Kamondi Tamás Tuesday, December 23, 2014 4:01 PM

Thanks very much for that Rexif - you're an absolute genius.

I was completely scratching my head why I couldn't get something that should be so simple to work. Your comment resolved my situation. This was for AD CS CA Web Enrollment on Windows 2008R2 SP1. Thanks again.

Hi,

Thank you!
Your mentioned workaround is working, I've just added https://localhost as Trusted site in IE and it's working fine! :-)

Regards, Tams

Hi,

You should probably look into going into you IIS Manager and under features double click Directory Browsing and under actions select "Enable"

Then you can go into a web browser and type http://loaclhost/certsrv and should be able to request the cert.