While setting up my Two-Tier PKI Hierarchy, I ran into an error on my issuing CA where my AIA Location #2 was unable to download. I viewed this error using the PKIVIEW tool.
I right clicked on the AIA Location # 2 and copied the URL. From there, I opened a web browser and paste the URL to get more details on the error I was receiving. A 404 Error displayed in the web browser and it stated that the file might have been removed, the name has changed, or the file is temporarily unavailable.
First, I checked my offline CA to make sure that my CA had the proper extension for the AIA location. To check this, I did the following:
- After logging into my offline CA, I went to the Certification Authority by typing in Certification Authority in the search bar.
- In the Certification Authority, right click on the Root CA and go to properties
- From there, I checked to see if the AIA extension had the proper naming convention. If the naming convention of the AIA extension is correct, then that means my Certificate was generated with the correct extension (The extension I needed to check: http://pki.harmontech.com/aia/<CaName><CertificateName>.crt)
After making sure the AIA extension was correct, I logged back into my Issuing CA to check the PKIVIEW to look at the AIA Location #2 error once again. Below are the steps to do this:
- After logging into my Issuing CA, I typed in pkiview.msc in the search bar
- Once PKIVIEW opens, I checked the location of the AIA Location #2 and saw that it was looking for a .crt file name HARMON ROOT CA.crt
From there, I did the following troubleshooting steps:
- See if my ROOT CA was in the correct location (In this example, my certificate will need to be in this correct path: E:\inetpub\wwwroot\PKI\aia.)
- Check and see if my ROOT CA is properly named within m(Certificate name needs to be named HARMON ROOT CA.crt).
I noticed that the .crt file located in the AIA folder was named MKEPKI01_HARMON ROOT CA.crt instead of HARMON ROOT CA.crt. From there, I figured out that the cause of this error is that the PKI is looking for HARMON ROOT CA.crt instead of MKEPKI01_HARMON ROOT CA.crt. I renamed the MKEPKI01_HARMON ROOT CA.crt file to HARMON ROOT CA.crt. After doing this, my AIA Location #2 status went from Unable to Download to OK.