Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

pkiview.msc not seeing changes in AIA or CDP

3,288 views
Skip to first unread message

Topher2798

unread,
Jun 1, 2007, 2:32:00 PM6/1/07
to
Hi all,

I'm implementing a new PKI environment and after running pkiview.msc to
check the health of the pki, I noticed a syntax error on a subCA in one of
the ldap paths for the AIA resulting in the "unable to Download" error.

Since then, I've gone to the SubCA and modified the AIA path as well as
adding a second location to the extension. Howerver, pkiview still shows the
error and lists the old path, not to mention not picking up the additional
location.

I've verified that the extention location changes were updated in the
SubCA's registry. I've also restarted Certificate Services as well as going
so far as to reboot the SubCA Server but pkiview STILL shows the old paths.

Exactly how is pkiview getting it's information and how to I get it to
obtain the newly corrected locations?

Also, since I've made the changes I published a test certificate from this
SubCA and enrolled it from my desktop, everything in the cert checks out, the
chain is good and the AIA and CDP paths reflect the corrected paths I
changed. So if this is the case, why is pkiview still squawking that it's
broken?

Brian Komar

unread,
Jun 2, 2007, 12:56:15 AM6/2/07
to

Issue a new CA exchange certificate. PKIView uses the information from the
last CA Exchange certificate for enterprise CAs.
Brian

Topher2798

unread,
Jun 4, 2007, 11:19:00 AM6/4/07
to
"Brian Komar" wrote:
> Issue a new CA exchange certificate. PKIView uses the information from the
> last CA Exchange certificate for enterprise CAs.
> Brian

Should I Revoke the current CA Exchange certificate first?
I've tried adding the CAExchange template to the subCA, then enrolling it
via web enrollment from itself, but it didn't correct the issue, and the
newly issued CAExchange certificate is different than the original one listed
in "Issued Certificates". The original shows that it was requested by the
SubCA as servername$ whereas the newly issued cert shows as being requested
by my Enterprise Admin account. pkiview is still not showing the corrected
paths for the AIA.

Did I do something wrong?

Topher2798

unread,
Jun 4, 2007, 11:55:01 AM6/4/07
to
On another note, this CAExchange certificate expires in three days, when it
renews, will it pick up the updated AIA paths?

If so, should I just leave it alone and let it correct itself?

Thanks

Brian Komar

unread,
Jun 4, 2007, 12:44:53 PM6/4/07
to

I would let it correct itself. It will actually request before the expiry
date
Brian

Topher2798

unread,
Jun 4, 2007, 2:10:03 PM6/4/07
to
Thanks for your help Brian, I'll wait it out until after it renews and see
what happens.

Topher2798

unread,
Jun 7, 2007, 9:22:00 AM6/7/07
to
Just a followup, the CAExchange certificate renewed itself and now pkiview is
showing a clean bill of health in the environment.

Thanks again Brian!

Mentioning where pkiview looks for these paths might be something worth
adding to your latest revision of the W2K3 PKI and Certificate Security book.
I happen to have a copy of that book and prior to posting this question here,
I looked to it for an answer to this. I also found multiple people out on
the web (through Google searches) who also posed the same question in other
forums but nobody could give them a good straight answer.

Agonize...@gmail.com

unread,
Jul 19, 2007, 11:14:32 AM7/19/07
to
On Jun 4, 7:44 pm, Brian Komar <bkom...@identit.nospam.ca> wrote:
> On Mon, 4 Jun 2007 08:55:01 -0700, Topher2798 wrote:
> > On another note, this CAExchange certificate expires in three days, when it
> > renews, will it pick up the updatedAIApaths?
>
> > If so, should I just leave it alone and let it correct itself?
>
> > Thanks
>
> > "Brian Komar" wrote:
>
> >> On Fri, 1 Jun 2007 11:32:00 -0700, Topher2798 wrote:
>
> >>> Hi all,
>
> >>> I'm implementing a new PKI environment and after running pkiview.msc to
> >>> check the health of the pki, I noticed a syntax error on a subCA in one of
> >>> the ldap paths for theAIAresulting in the "unable to Download" error.
>
> >>> Since then, I've gone to the SubCA and modified theAIApath as well as

> >>> adding a second location to the extension. Howerver, pkiview still shows the
> >>> error and lists the old path, not to mention not picking up the additional
> >>> location.
>
> >>> I've verified that the extention location changes were updated in the
> >>> SubCA's registry. I've also restarted Certificate Services as well as going
> >>> so far as to reboot the SubCA Server but pkiview STILL shows the old paths.
>
> >>> Exactly how is pkiview getting it's information and how to I get it to
> >>> obtain the newly corrected locations?
>
> >>> Also, since I've made the changes I published a test certificate from this
> >>> SubCA and enrolled it from my desktop, everything in the cert checks out, the
> >>> chain is good and theAIAandCDPpaths reflect the corrected paths I

> >>> changed. So if this is the case, why is pkiview still squawking that it's
> >>> broken?
>
> >> Issue a new CA exchange certificate. PKIView uses the information from the
> >> last CA Exchange certificate for enterprise CAs.
> >> Brian
>
> I would let it correct itself. It will actually request before the expiry
> date
> Brian

Hi,
Just for knowledge's sake: how does one manually renew the CA Exchange
Certificate (in case I don't have the time to wait for it to renew
itself)?
Thanks

Topher2798

unread,
Jul 19, 2007, 12:12:05 PM7/19/07
to
Open the Certificates MMC snap-in on the subordinate server were the
certificate is installed, locate the certificate, right click it, then choose
"All Tasks" from the pop-up menu, within there you'll see "Renew Certificate
with same key" and "Renew Certificate with new key".
0 new messages