Ok so I updated my CDP and AIA extensions on my root and issuing. (Srv 2012r2) because there previously was not an http. I've looked at a couple other threads here about the red x's in pkiview and I kind of understand why I am getting them but I'm not sure about the numbers. Ive now spent 4 hours trying to fix something that is probably simply and I'm not sure if I can just delete what is in the http location and start over.
Here are my locations I am using root first then issuing.http variables are at top of script.
Certutil -setreg CA\CRLPublicationURLs "1:%WINDIR%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n10:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public Key Services,CN=Services,%%6%%10\n2:http://%WebServer%/%WebDir%/%%3%%8%%9.crl"
certutil -setreg CA\CACertPublicationURLs "1:%WINDIR%\system32\CertSrv\CertEnroll\%%3%%4.crt\n3:ldap:///CN=%%7,CN=AIA,CN=Public Key Services,CN=Services,%%6%%11\n2:http://%WebServer%/%WebDir%/%%3%%4.crt"
certutil -setreg CA\CRLPublicationURLs "65:%windir%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n79:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public Key Services,CN=Services,%%6%%10\n6:http://%WebServer%/%WebDir%/%%3%%8%%9.crl"
certutil -setreg CA\CACertPublicationURLs "1:%windir%\system32\CertSrv\CertEnroll\%%3%%4.crt\n3:ldap:///CN=%%7,CN=AIA,CN=Public Key Services,CN=Services,%%6%%11\n2:http://%WebServer%/%WebDir%/%%3%%4.crt"
Here is what I did. I ran my post install scripts on the root and issuing and checked that the extensions were updated on both. I then did a root renewal and kept the same private key. I copied the crl and crt files from root to c:\windows...\certenroll on the issuing and I also copied them to the http location on the web server.
Then on the issuing server that has the wrong aia and cdp in its orig cert, I created a req file, sent to root and imported it etc got the new cert and imported that back into the issuing. Checked and the aia and cdp are correct in the new cert.
I did a certutil -crl on the root and issuing followed by a certutil -dspublish f on the crl files. Restarted everything
Then I imported the new issuing ca cert in the default domain gpo where the original issuing cert is (that has the wrong embedded cdp and aia). Not sure if I leave the old there or delete it. It has the incorrect aia and cdp paths.
OK perhaps I missed something. What I see in pkiview is this and I was actually able to fix one x but don't understand the others red x's and perhaps it is because I don't have the %%1_ in the postscripts and it does create the servername_caname.crt but
since the http path has the %%1 removed I'm not sure if I should rename the file.
Anyhow, in pkiview I have two subsections. One represents the root and the other the issuing.
Enterprise PKI
CAname1 (V1.0) this is root
CAname2 (V2.0) Issuing section
When I click on the CAname1(V1.0) I have this.
caname (v2.0) ERROR then no further details
AIA Location #1 Unable to Download ldap:///CN=caname1,CN=AIAetc etc
AIA Location #2 Unable to Download http://pki.domain.com/crl/memorial1(1).crt
In the root local path I DO have a caname1.crl file and it also exists in the same location on the issuing and http.
In the root local path my crt was created called servername_caname1.crt. and I have another called servername_caname1(1).crt I realize the path is looking for it though without the servername part though because I removed the %%1_. Those files also exist
on the issuing and in the http folder. I tried keeping the name as is and also renaming it caname1(1).crt and still have the pkiview error.
pkiview section for issuing
caname (v2.0)
AIA location #2 unable to download http://pki.domain.com/caname(2).crt
All the other CDP and Delta paths are fine.
So I realize it is looking for caname(2).crt but the file generated is servername_caname(2),crt. Would it be easier to add the %%1_ back in and just start over? I'm pretty sure I just tried to rename that as well.
What am I missing or do wrong? :/