M
Max
I am new to Microsoft PKI and have just installed an offline root CA
and an online Enterprise Subordinate Issuing CA. I am basically
following the "Best Practices for Implementing a Microsoft Windows
Server 2003 PKI" step by step (except with no intermediate CA).
I attempted to move all of the Authority Information Access (AIA) and
CRL distribution point paths for both CAs for http to a separate web
server. I moved the CRL and Certificates for both CAs to the Virtual
Directory on the web server.
Everything worked fine with the root CA (I changed the AIA and CRL
http extensions to point to the web server). When I look at the root
CA in the PKI Health tool, all the AIA and CRL distribution point
locations are correct and the CRL and Certificate are found
successfully (for both http and ldap).
However, I also want to move the AIA and CRL distribution point paths
for http from the Issuing CA to point to the web server. The default
is apparently for them to point to the Issuing CA (as they do now,
even though it does not have IIS installed). I went into Properties >
Extensions of the Issuing CA and changed the AIA and CDP extensions
for http to point to the web server and also checked the box to
include the CDP and AIA extension in issued certificates. However,
even after restarting Certificate Services and Republishing the CRL,
the PKI Health tool still shows "Status - unable to download" for the
AIA and CRL, and the location is still pointing to the Issuing CA
server, not the web server.
Strangely, my changes did apparently make the DeltaCRL location change
to the web server, because now it points to the web server (not the
issuing CA) for http and finds the DeltaCRL fine. But the CDP and AIA
locations still point to the Issuing CA.
What am I missing or doing wrong? Any help would be much appreciated.
and an online Enterprise Subordinate Issuing CA. I am basically
following the "Best Practices for Implementing a Microsoft Windows
Server 2003 PKI" step by step (except with no intermediate CA).
I attempted to move all of the Authority Information Access (AIA) and
CRL distribution point paths for both CAs for http to a separate web
server. I moved the CRL and Certificates for both CAs to the Virtual
Directory on the web server.
Everything worked fine with the root CA (I changed the AIA and CRL
http extensions to point to the web server). When I look at the root
CA in the PKI Health tool, all the AIA and CRL distribution point
locations are correct and the CRL and Certificate are found
successfully (for both http and ldap).
However, I also want to move the AIA and CRL distribution point paths
for http from the Issuing CA to point to the web server. The default
is apparently for them to point to the Issuing CA (as they do now,
even though it does not have IIS installed). I went into Properties >
Extensions of the Issuing CA and changed the AIA and CDP extensions
for http to point to the web server and also checked the box to
include the CDP and AIA extension in issued certificates. However,
even after restarting Certificate Services and Republishing the CRL,
the PKI Health tool still shows "Status - unable to download" for the
AIA and CRL, and the location is still pointing to the Issuing CA
server, not the web server.
Strangely, my changes did apparently make the DeltaCRL location change
to the web server, because now it points to the web server (not the
issuing CA) for http and finds the DeltaCRL fine. But the CDP and AIA
locations still point to the Issuing CA.
What am I missing or doing wrong? Any help would be much appreciated.