Issue: If you try to access https://contosoca01/certsrv you got an 401 error message (see below) from the IIS. But if you login directly on the OS which host the CA and use https://localhost/certsrv it works.
401 - Unauthorized: Access is denied due to invalid credentials. You do not have permission to view this directory or page using the credentials that you supplied.
1.) Login to the OS (e.g. Windows 2008 R2) which host the CA
2.) Bring up the IIS Manager
3.) Went to the "Default Web Site" and select "CertSrv"
4.) Click on "Authentication"
5.) Select "Windows Authentication" and then press on "Providers" on the right side
6.) Move NTLM which is at the buttom to the top from the list
7.) restart IIS