Microsoft Active Directory Certificate Services - Error Messages

T

Tier 3 Support

Two issues:

1. Under Enterprise PKI, the server shows "DeltaCRL Location #2" and "CDP
Location #2" as Expired. All other locations show OK. Is there any way I
can manually force the PKI to update/renew these CRLs?


2. After installing ADCS Online Responder, I receive the following error
message:
"Bad signing certificate on Array controller"

Operating System
Windows Server 2008 SP1 (64-bit)

Roles
Active Directory Certificate Services
Active Directory Domain Services
DNS
DHCP
IIS

This server is an Enterprise Root CA and also runs the Online Responder.


--------Reply Note--------
Please reply either directly to this post or to it-tier3@visionnet.us
 
T

Tier 3 Support

UPDATE: Microsoft Active Directory Certificate Services - Error Messages

STATUS: Issue 1: Unresolved
Issue 2: Resolved

UPDATE to "Bad signing certificate on Array controller"
This problem was resolved by:
Adding the OCSP machine account to the "OCSP Signing Certificate"
template with rights "Full Control".
It is presumed that adding only "Read", "Enroll", and "Auto-Enroll" will
be sufficient. "Full Control" was considered an acceptable solution solely
because the hosting machine is also the Enterprise Root CA.


"Tier 3 Support" <it-tier3@visionnet.us> wrote in message
news:eWXILSS4IHA.1196@TK2MSFTNGP05.phx.gbl...
> Two issues:
>
> 1. Under Enterprise PKI, the server shows "DeltaCRL Location #2" and
> "CDP Location #2" as Expired. All other locations show OK. Is there any
> way I can manually force the PKI to update/renew these CRLs?
>
>
> 2. After installing ADCS Online Responder, I receive the following
> error message:
> "Bad signing certificate on Array controller"
>
> Operating System
> Windows Server 2008 SP1 (64-bit)
>
> Roles
> Active Directory Certificate Services
> Active Directory Domain Services
> DNS
> DHCP
> IIS
>
> This server is an Enterprise Root CA and also runs the Online Responder.
>
>
> --------Reply Note--------
> Please reply either directly to this post or to it-tier3@visionnet.us
>
>
 
B

Brian Komar \(MVP\)

Inline...

"Tier 3 Support" <it-tier3@visionnet.us> wrote in message
news:eWXILSS4IHA.1196@TK2MSFTNGP05.phx.gbl...
> Two issues:
>
> 1. Under Enterprise PKI, the server shows "DeltaCRL Location #2" and
> "CDP Location #2" as Expired. All other locations show OK. Is there any
> way I can manually force the PKI to update/renew these CRLs?
>

How many CAs in the CA hierarchy?
What protocol is referenced in the failed locations
What protocols are you using to transfer the Base and delta CRL to these
locations.
You probably need a scheduled tasks or something else to copy the files at
regular intervals.


>
> 2. After installing ADCS Online Responder, I receive the following
> error message:
> "Bad signing certificate on Array controller"

More information is needed. What certificate was deployed as the OCSP
signing certificate for example?


>
> Operating System
> Windows Server 2008 SP1 (64-bit)
>
> Roles
> Active Directory Certificate Services
> Active Directory Domain Services
> DNS
> DHCP
> IIS
>
> This server is an Enterprise Root CA and also runs the Online Responder.
>
>
> --------Reply Note--------
> Please reply either directly to this post or to it-tier3@visionnet.us
>
>
 
You must log in or register to reply here.

Similar threads

S
When issuing Enterprise Root-CA, it shows "Active Directory Certificate Services could not connect to Global Catalog Server"
Replies
0
Views
38
Samuel_TRX
S
M
ACTIVE DIRECTORY CERTIFICATE SERVICES (AD CS)
Replies
0
Views
324
MicroConnect
M
L
Need help with Certificate Authority and cannot Submit a Certificate Request, bad Pki entries in my domain??
Replies
0
Views
312
LeeJohnson7
L
M
  • Article
Microsoft Edge: Your AI-powered browser, innovating for businesses and developers
Replies
0
Views
190
Microsoft Edge Team
M
D
Windows certificate on Active directory
Replies
0
Views
275
DanthePro
D
Back
Top Bottom