Jump to content


Established Members
  • Posts

  • Joined

  • Last visited

Everything posted by eljub

  1. You are right it's because for this command, the name at the end has to be the computer name of the RootCA Server from your environment
  2. I just found when I looked on the "Session" in the computermanagement mmc that it is published under the server account I added the computer account directly on the share with change permissions and on the security tab with modify permissions but still an access denied
  3. Ok I found the issue which I think is still related to the UAC If on the share "c:\certenroll" I allow "change" permissions for Everyone, it works I tried also to place directly the Entreprise user I used with change permission but it failed I suspect it is published by another user
  4. Yes maybe but I do not see what I just did another test If the share "CertEnroll" is on c:\CertEnroll => The command "Certutil -CRL" failed If the share "CertEnroll" is on C:\Windows\System32\certsrv\CertEnroll => The command "Certutil -CRL" passed
  5. Hi, I encountered the same issue, my Root CA CDP location was in error 'Unable To Download' for the offline root I found this was related to one specific command : The "RootCA" value in the command above should be adapted to the Hostname of your Root CA Server name By adapting this to my server hostname, it has solved this issue
  6. I disabled the UAC and now I'm able to create/modify/delete files on the "c:\CertEnroll" folder I'm also able to do it by the network share But I still have a deny when I do the "certutil -CRL"
  7. I also have this issue but I can't resolve it right now even after a lot of reboot I start the command with an elevated command prompt but I always get an access denied I found this is related to my CDP file location and I suspect UAC How am I sure this is the problem ? => Because if I run again CRLPublicationURLs without adding the file location, then the "crtutil -CRL" command works without issues I checked many times the rights and everything is right I'm logged with my Enterprise Administrator account This account is in the "Cert Publishers" AD Group and also on the Local Administrators Group of the server The "Cert Publishers" AD Group has modify NTFS rigths on the folder "c:\certenroll" The "Cert Publishers" AD Group has "Change" rights on the "CertEnroll" share So everything seems fine but I always receive an access denied Why I think it's UAC causing problem ? Because when I try to create a File on "c:\CertEnroll", I'm not able to do it The owner of the "c:\CertEnroll" folder is the server local administrators group and like I already said, my account is member of this group And when I do the check on permissions, I should have the needed rights So I will continue to find what's wrong in my configuration
  8. I followed your guide but like I said I do not use a separate server as Web Server Yesterday after completing PART5 I noticed that the "CertEnroll" share was on "c:\system32\certsrv\certenroll" and not on "C:\CertEnroll" anymore I had a doubt I missed something but - when I went to the security of the folder "C:\CertEnroll", the AD Group "Cert Publisher" was there as done in PART3 - the IIS virtual directory "CertEnroll" was pointing on "c:\system32\certsrv\certenroll" and not on "C:\CertEnroll" anymore I think it's because I selected to install Web Enrollment feature in PART5 SO for me in case of installation of the Web Server Enrollment on the Issuing CA Server, it would be better to dot the PART3 after the PART5 and change the thing I wrote above
  9. Yes if you are like me and you install the Web Server on the Issuing Server So I noticed that with the PART5, the network share "CertEnroll" has been reset to its default value "c:\system32\certsrv\certenroll" So you need to - remove the share on this folder - recreate a share on the c:\certenroll (with "modify" share permissions for AD group "Cert Publisher") - change the IIS target folder for the "CertEnroll" virtual directory to "c:\certenroll"
  • Create New...