Hi all!
After installing AD CS role on Server 2012 R2 the following AIA:s are present by default:
Get-CAAuthorityInformationAccess | fl
AddToCertificateAia : False
AddToCertificateOcsp : False
Uri : C:\Windows\system32\CertSrv\CertEnroll\<ServerDNSName>_<CAName><CertificateName>.crt
AddToCertificateAia : True
AddToCertificateOcsp : False
Uri : ldap:///CN=<CATruncatedName>,CN=AIA,CN=Public Key Services,CN=Services,<ConfigurationContainer><
CAObjectClass>
AddToCertificateAia : False
AddToCertificateOcsp : False
Uri : http://<ServerDNSName>/CertEnroll/<ServerDNSName>_<CAName><CertificateName>.crt
AddToCertificateAia : False
AddToCertificateOcsp : False
Uri : file://<ServerDNSName>/CertEnroll/<ServerDNSName>_<CAName><CertificateName>.crt
When I delete them all and try to add my own, both http and OCSP AIA:s works fine, but I cannot seem to re-add the first line that points to the local hard drive.
The command:
Add-CAAuthorityInformationAccess -uri "C:\Windows\system32\CertSrv\CertEnroll\<ServerDNSName>_<CAName><CertificateName>.crt" -Force
gives this error:
Add-CAAuthorityInformationAccess : Parameter set cannot be resolved using the specified named parameters.
At line:1 char:1
+ Add-CAAuthorityInformationAccess -uri "C:\Windows\system32\CertSrv\CertEnroll\<S ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Add-CAAuthorityInformationAccess], ParameterBindingException
+ FullyQualifiedErrorId : AmbiguousParameterSet,Microsoft.CertificateServices.Administration.Commands.CA.AddAiaCommand
Two questions:
1. Why do I get that error?
2. Do I even need that AIA? I figured that the CA might read this value to know where to place new CA-certs when renewing (like with CRLs and CDP)?
After installing AD CS role on Server 2012 R2 the following AIA:s are present by default:
Get-CAAuthorityInformationAccess | fl
AddToCertificateAia : False
AddToCertificateOcsp : False
Uri : C:\Windows\system32\CertSrv\CertEnroll\<ServerDNSName>_<CAName><CertificateName>.crt
AddToCertificateAia : True
AddToCertificateOcsp : False
Uri : ldap:///CN=<CATruncatedName>,CN=AIA,CN=Public Key Services,CN=Services,<ConfigurationContainer><
CAObjectClass>
AddToCertificateAia : False
AddToCertificateOcsp : False
Uri : http://<ServerDNSName>/CertEnroll/<ServerDNSName>_<CAName><CertificateName>.crt
AddToCertificateAia : False
AddToCertificateOcsp : False
Uri : file://<ServerDNSName>/CertEnroll/<ServerDNSName>_<CAName><CertificateName>.crt
When I delete them all and try to add my own, both http and OCSP AIA:s works fine, but I cannot seem to re-add the first line that points to the local hard drive.
The command:
Add-CAAuthorityInformationAccess -uri "C:\Windows\system32\CertSrv\CertEnroll\<ServerDNSName>_<CAName><CertificateName>.crt" -Force
gives this error:
Add-CAAuthorityInformationAccess : Parameter set cannot be resolved using the specified named parameters.
At line:1 char:1
+ Add-CAAuthorityInformationAccess -uri "C:\Windows\system32\CertSrv\CertEnroll\<S ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Add-CAAuthorityInformationAccess], ParameterBindingException
+ FullyQualifiedErrorId : AmbiguousParameterSet,Microsoft.CertificateServices.Administration.Commands.CA.AddAiaCommand
Two questions:
1. Why do I get that error?
2. Do I even need that AIA? I figured that the CA might read this value to know where to place new CA-certs when renewing (like with CRLs and CDP)?
Tom Aafloen, IT-security Consultant Onevinn AB