PKI Toolbox · Microsoft ADCS Tools

PKIView Troubleshooting Guide

A practical guide for diagnosing Microsoft ADCS health, CDP/AIA publication problems, CRL issues, and Enterprise PKI status warnings.

Microsoft Enterprise PKI, launched with pkiview.msc, provides a consolidated view of ADCS publication health across an enterprise PKI. It is especially useful for identifying unreachable CDP locations, missing or expired CRLs, AIA publication issues, stale CA objects, and broken publication paths after CA migration or renewal.

PKIView is an excellent starting point, but it should not be the only validation method. Administrators should also validate certificates and revocation data with certutil, browser testing, HTTP testing, LDAP validation, and client-side certificate chain verification.
Section 1

What PKIView Checks

PKIView helps review the following aspects of your enterprise PKI:

Enterprise CA hierarchy visibility
CA certificate publication
AIA location availability
CDP location availability
CRL publication and freshness
Delta CRL publication, if used
Expired CA certificates
Expired or unreachable CRLs
Publication problems after CA renewal or migration
Old CA references in Active Directory
Broken HTTP, LDAP, or file-based publication paths
Section 2

When to Use PKIView

Use PKIView when any of the following conditions apply:

  • PKIView shows red or yellow warning indicators
  • CDP Location shows "Unable to Download"
  • AIA Location shows "Unable to Download"
  • CRLs are expired or near expiration
  • Issuing CA or Root CA publication status is unhealthy
  • Clients fail certificate revocation checking
  • Certificate enrollment fails because revocation data cannot be reached
  • A CA was migrated to a new server name
  • A Root CA or Issuing CA certificate was renewed
  • Old CA certificates still appear in Enterprise PKI
  • PKIView shows old or incorrect URLs
  • PKIView does not display expected CDP/AIA data
Section 3

How to Open PKIView

  1. 1Sign in to a domain-joined management workstation or CA server with appropriate administrative tools installed.
  2. 2Open Run (Win + R).
  3. 3

    Type:

    pkiview.msc
  4. 4Press Enter.
  5. 5Expand Enterprise PKI in the left pane.
  6. 6Review each CA and each reported AIA/CDP location.
  7. 7Refresh individual items after correcting issues.
PKIView is normally available when the ADCS management tools / RSAT certificate services tools are installed on the workstation or server.
Section 4

How to Read PKIView Status

OK / Green

PKIView was able to validate the object or publication location. The CA certificate, CRL, and publication paths are accessible and current.

Warning / Yellow

The item may be available but has a warning condition, such as approaching expiration, stale data, or partial validation. Investigate before it becomes an error.

Error / Red

PKIView could not validate the object, URL, certificate, CRL, or publication location. Immediate investigation is required.

Unable to Download

PKIView could not retrieve the certificate or CRL from the listed location. The URL may be unreachable, the file may be missing, or a network/permission issue is blocking access.

Expired

The CA certificate, CRL, or related publication object is expired and must be renewed or republished. Clients may fail revocation checking until this is resolved.

Section 5

Common PKIView Problems and Likely Causes

CDP Location Unable to Download
Likely Causes
  • CRL file missing from HTTP publication directory
  • Incorrect CDP URL in the CA configuration
  • DNS name does not resolve
  • IIS virtual directory misconfigured
  • MIME type missing for .crl
  • Anonymous access disabled on the IIS site
  • Firewall blocking HTTP port 80 or 443
  • CRL is expired
  • Old CA name or old publication URL remains after migration
  • File exists but PKIView is checking a different URL than expected
Initial Checks
  • Copy the CDP URL from PKIView and test it in a browser
  • Test from a domain client, not only from the CA server
  • Confirm HTTP 200 response
  • Confirm correct CRL file name matches the CA name
  • Confirm CRL is not expired
  • Run certutil -URL and certutil -verify checks
AIA Location Unable to Download
Likely Causes
  • CA certificate missing from AIA publication path
  • Incorrect AIA URL in the CA configuration
  • Missing .crt or .cer file at the publication location
  • IIS or HTTP publication issue
  • LDAP publication issue
  • Old CA certificate still referenced after renewal
  • CA certificate was renewed but not republished correctly
Initial Checks
  • Copy the AIA URL from PKIView and test it in a browser
  • Confirm the correct CA certificate is published
  • Confirm certificate file name and extension (.crt or .cer)
  • Confirm issued certificates contain the intended AIA URL
  • Compare the current CA certificate with the published certificate
Expired CRL
Likely Causes
  • Root CA CRL was not republished before expiration
  • Offline Root CA has not been brought online for CRL renewal
  • Issuing CA CRL publication failed silently
  • Scheduled CRL publication task failed
  • CRLPeriod or CRLOverlap settings are insufficient
  • Publication target directory or share is unavailable
Initial Checks
  • Check CRL expiration date with certutil -dump ca.crl
  • Publish a new CRL from the CA console
  • Copy CRL to HTTP publication location
  • Republish CRL to Active Directory if applicable
  • Refresh PKIView after republication
  • Test from client systems after refresh
Old CA Still Appears in PKIView
Likely Causes
  • Old CA objects remain in Active Directory
  • Old CA certificates remain in AIA or Certification Authorities containers
  • Old CDP objects remain under Public Key Services
  • CA migration cleanup was incomplete
  • Clients or AD still reference old publication data
Initial Checks
  • Review Enterprise PKI → Manage AD Containers
  • Review Certification Authorities container in AD Sites and Services
  • Review AIA container under Public Key Services
  • Review CDP container under Public Key Services
  • Validate all references before deleting objects
  • Document and back up AD objects before any cleanup
PKIView Does Not Reflect Corrected Settings
Likely Causes
  • PKIView MMC cache issue — stale display data
  • AD replication delay across domain controllers
  • Client URL cache issue
  • CRL URL cache issue on the management workstation
  • Corrected CA settings only affect newly issued certificates
  • Existing issued certificates still contain older AIA/CDP extensions
Initial Checks
  • Close and reopen PKIView MMC
  • Right-click the specific item and select Refresh
  • Check AD replication status across DCs
  • Clear certificate URL cache with certutil -urlcache * delete
  • Inspect the actual certificate AIA/CDP extensions in the Details tab
  • Reissue a test certificate after CA configuration changes
Section 6

Step-by-Step Troubleshooting Workflow

1

Open PKIView and identify the exact failing item

Launch pkiview.msc and expand the Enterprise PKI tree. Locate the CA or publication location showing a red, yellow, or "Unable to Download" status.

2

Record the affected item details

Note the affected CA name, status indicator, location number, full URL, object type (CDP or AIA), and the exact error text shown by PKIView.

3

Copy the failing URL exactly as PKIView shows it

Right-click the failing location in PKIView and copy the URL. Use the exact URL — do not retype it. Small differences in file name, path, or hostname are a common source of confusion.

4

Test the URL from multiple locations

  • CA server
  • PKI web server
  • Domain-joined client workstation
  • Non-admin workstation if possible
  • Network segment where certificate clients exist
5

Confirm the failure category

  • DNS resolution failure
  • HTTP/IIS configuration issue
  • File missing from publication directory
  • Permission or anonymous access issue
  • Expired CRL
  • Wrong file name or extension
  • Old URL from a previous CA name or migration
  • AD publication issue
  • Certificate extension issue (old AIA/CDP embedded in cert)
6

Validate the certificate itself

Open a certificate issued by the CA and inspect the Details tab:

  • Review CRL Distribution Points extension
  • Review Authority Information Access extension
  • Confirm the certificate contains the expected URLs
  • Compare against the current CA configuration
7

Validate revocation manually with certutil

Use certutil to retrieve and verify AIA certificates and CDP CRLs:

certutil validation commands
certutil -urlfetch -verify certificate.cer
certutil -verify certificate.cer
certutil -URL certificate.cer
certutil -urlcache crl
certutil -urlcache * delete
Use cache clearing carefully during troubleshooting so you do not mistake cached success or cached failure for the current state.
8

Fix the publication issue

  • Republish CRL from the CA console
  • Copy CRL to HTTP publication directory
  • Copy CA certificate to AIA publication directory
  • Correct IIS virtual directory permissions
  • Add missing MIME types (.crl, .crt, .cer)
  • Correct CDP/AIA extension settings on the CA
  • Restart certificate services if required
  • Reissue certificates if old extensions are embedded in existing certs
9

Refresh PKIView

Right-click the affected CA or location in PKIView and select Refresh. Allow time for AD replication if the fix involved Active Directory publication.

10

Validate from client systems and document the result

Test certificate revocation checking from actual client systems in the affected network segments. Document the root cause, the fix applied, and the final PKIView status.

Section 7

Important Commands

certutil & pkiview command reference
pkiview.mscOpen Enterprise PKI MMC snap-in
certutil -crlForce publish a new CRL from the CA
certutil -urlfetch -verify certificate.cerVerify certificate with live URL retrieval for AIA and CDP
certutil -URL certificate.cerOpen the graphical URL retrieval and validation tool
certutil -urlcacheView the current URL cache contents
certutil -urlcache crlView cached CRL entries specifically
certutil -urlcache * deleteClear the URL cache — use carefully during troubleshooting
certutil -getconfigView the current CA configuration string
certutil -dump certificate.cerDump full certificate details including AIA and CDP extensions
certutil -dump ca.crlDump CRL details including validity period and next update
Section 8

PKIView Troubleshooting Checklist

  • Identify the CA showing warning or error in PKIView
  • Record exact PKIView error text
  • Copy the failing URL exactly as shown
  • Test URL in a browser
  • Test URL from a domain client workstation
  • Confirm DNS resolution for the CDP/AIA hostname
  • Confirm IIS site is running and responding
  • Confirm anonymous access is enabled if using public HTTP CDP/AIA
  • Confirm .crl MIME type is configured in IIS
  • Confirm .crt and .cer MIME types if required
  • Confirm correct CRL file name matches the CA name
  • Confirm CRL is not expired
  • Confirm CA certificate is published to the AIA location
  • Confirm issued certificates contain correct CDP/AIA extensions
  • Confirm old CA URLs are not embedded in new certificates
  • Confirm AD replication is healthy across domain controllers
  • Confirm PKIView cache is not stale — close and reopen if needed
  • Use certutil -urlfetch -verify for end-to-end validation
  • Document the root cause and fix applied
  • Recheck PKIView after remediation
Section 9

Common Design and Operational Mistakes

  • Relying only on LDAP CDP/AIA paths — LDAP is not accessible from external clients or non-domain systems
  • Not publishing offline root CRLs before expiration — this causes widespread revocation failures
  • Using server hostnames in URLs instead of stable DNS aliases — hostnames change during migrations
  • Moving or migrating CAs without cleaning up old references in Active Directory
  • Updating CA extension settings but not reissuing affected certificates
  • Forgetting that existing certificates retain old AIA/CDP extensions regardless of CA configuration changes
  • Publishing files manually with incorrect names — file names must match exactly what the CA expects
  • Missing IIS MIME types for .crl, .crt, and .cer files
  • Using internal-only URLs for certificates used outside the internal network
  • Not monitoring CRL expiration proactively — waiting for PKIView to turn red
  • Not documenting CRL publication procedures — especially for offline root CAs
Section 10

Recommended Best Practices

  • Use stable DNS names for HTTP CDP/AIA publication — not server hostnames
  • Monitor CRL expiration before outage windows — especially for offline root CAs
  • Use PKIView as a first-look health dashboard, not as the only validation tool
  • Validate with certutil and real client tests after every CA change
  • Keep offline root CRL publication procedures documented and tested
  • Publish CA certificates and CRLs consistently after every CA renewal
  • Maintain a certificate inventory to track issued certificates and their embedded extensions
  • Validate PKIView after CA renewal, migration, or any CDP/AIA configuration change
  • Use change control for CA extension updates — changes affect all subsequently issued certificates
  • Document every CDP/AIA location, its purpose, and its publication procedure
Section 11

Sources and Further Reading

External links leave InsecurePlanet.com and open on their respective publisher sites.

Microsoft Tech Community — Quick Check on ADCS Health Using Enterprise PKI Tool / PKIView

The primary Microsoft reference for using PKIView to assess ADCS health. Covers status indicators, common errors, and initial troubleshooting steps.

Microsoft Learn — Copy the CA Certificate and CRL to the Virtual Directory

Step-by-step guidance for publishing CA certificates and CRLs to an IIS virtual directory for HTTP-based CDP and AIA access.

Microsoft Learn — Configure the CDP and AIA Extensions

Official documentation for configuring CDP and AIA extension URLs on a Microsoft CA. Essential for understanding how PKIView derives the URLs it checks.

Microsoft Learn — certutil command reference

Complete certutil command reference. Use alongside PKIView for URL retrieval testing, CRL validation, and cache management.

Microsoft Tech Community — Basic CRL Checking with certutil

Practical guide to using certutil for CRL validation, URL testing, and cache inspection during PKI troubleshooting.

sysadmins.lv — Designing CRL Distribution Points and Authority Information Access Locations

In-depth technical guidance on designing CDP and AIA location strategies for enterprise PKI — covers HTTP, LDAP, and file-based paths with practical recommendations.

Need help reviewing Microsoft ADCS or PKIView errors?

InsecurePlanet provides PKI security assessments, ADCS health checks, certificate template reviews, CDP/AIA troubleshooting, and PKI migration planning.