trouble wiht AD CS 2008 test lab:

Hi Folks,

Thanks in advance for the help.

My setup is this:

· DC = LH_DC1, win2k8 server

· PKI server = LH_PKI1, win2k8 server

· Client = LH_CLI1, vista

I setup my test lab using the AD CS Step by Step Guide, and the OCSP
whitepaper. I am still having these issues:



1. I believe my OCSP implementation is working. I can auto enroll
users now, so that would be a good test right? Also, I can download the
latest CRL, and the responder says that it is OK. Before I could not do any
of this. But I am still concerned by what I see when I open server manager.
Under Roles --> Enterprise PKI --> RootCA (v0.0) there is a red X. ANd in
the right hand pane I see 4 certs with Xs , and errors. two start with AIA,
and 2 start with OCSP. There are two more there named AIA Location #3 and
AIA Location #4 and they are fine. There are two named OCSP Location #1 and
#2 and they have errors. How can I fix this?

Are these locations still valid and should I care? Or is this from when I
was having issues with ocsp? I redid the AIA config (erased the old
http://LH_PKI1 and redid it. That seemed to help.) Am I still having issues
then? If so, how else can I test and resolve this?

I have rebooted the PKI server after I made that change too. Still no luck
in resolving this.



2. When I try to request a certificate from the website:
https://LH_PKI1.contoso.com/certsrv

I can download the latest CRL no problem. But when I go to request a
certificate, I canot. I get the following error message:

No certificate templates can be found. You do not have permission to
request a certificate from this CA, or an error occurred while accessing the
Actie Directory.



I am logged on as a user PKI_user3. I can go into the local certificate
store and request certificates that way.

The same thing is true if I log onto the vista PC with the domain admin
account.

Any more advice here?

I have already created a web serve certificate for my website, and the
templates I have created work if I use the cert mmc snapin, and auto
enrolling users gets them certs, so now I am kind of stuck.



I would love to send anyone screen shots of what I see as my descriptions
are not as good as images. please email if you would look at them:
kristin.l.griffin@xxxxxxxxx


Thanks very much!

Kristin



.

Relevant Pages

  • Re: [Full-Disclosure] MSN Webcam / Chat Spoof
    ... MessageMaybe for use in e-mail - OCSP is per cert, ... MSN Webcam / Chat Spoof ... certificate validation, the size of the CRL would be irrelevant. ...
    (Full-Disclosure)
  • RE: [Full-Disclosure] MSN Webcam / Chat Spoof
    ... OCSP is not per cert, you can request cert status of multiple certificates ... Yes with OCSP you have less data per connection, ... certificate validation, the size of the CRL would be irrelevant. ...
    (Full-Disclosure)
  • Re: more AD CS issues
    ... I can now web enroll for certs. ... Still looking for a fix or clarification for the AIA and ocsp errors. ... I can go into the local certificate ... store and request certificates that way. ...
    (microsoft.public.windows.server.security)
  • help!RTCS and OCSP protocols
    ... I'm using cryptlib's library to create RTCS and OCSP ... 1)i send a user certificate X.509 to a RTCSserver responder; ... I must know the RTCS responder URL to create the session; ...
    (sci.crypt)
  • Errors from secure webpage
    ... I am accessing a secure site and I get the following error message ... Error trying to validate certificate from using OCSP ... logs about setup, setup issues?) ... Windows doesn't see the error on the same webpages, ...
    (Fedora)