Server 2012R2, Certificate Authority, Analyzer error after install Root/SUB-CA.
Finally an error that made us much trouble and not even MPS (Microsoft Support) could solve gets mentioned in the Best practice analyzer.
Web server should allow URIs containing a plus sign (+) to enable publishing of delta CRLs |
Under Server 2008R2 this looked like this (Unable to download)
https://technet.microsoft.com/de-de/library/dd379478(v=ws.10).aspx
Do to the same in Powershell:
How to avoid Delta CRL download errors on Windows Server 2008 with IIS7
If delta CRLs are hosted on a Windows Server 2008 server running Internet Information Server 7 (II7), the configuration of a request filter must be changed in the IIS7 configuration.
IIS7.0 does not allow URI’s that do not match upon double escaping. Delta CRLs fall into that category because of the plus sign in the filename.
To change the filter for the site that is hosting the CRLs and delta CRLs, perform the following command at a command line:
appcmd set config “Default Web Site/VDIR” -section:system.webServer/security/requestFiltering -allowDoubleEscaping:true
You have to replace VDIR with the name of the web site hosting the delta CRL, for example:
appcmd set config “Default Web Site/PKI” -section:system.webServer/security/requestFiltering -allowDoubleEscaping:true
To change the setting for the default Web site, use this command:
appcmd set config “Default Web Site” -section:system.webServer/security/requestFiltering -allowDoubleEscaping:true
For related information about the configuration of request filters in IIS7 is found on Microsoft TechNet.
2) If PKIVIEW shows error under AIA Location (http:// webserver)
This may be just a file to copy
Start pkiview.msc
Search for the .CRT file mentioned after http:// local on your Cert server.
Then copy that *.CRT file into your IIS (pki) folder location