PKI health

Aamer M
Aamer M used Ask the Experts™
We are having issues with our PKI infrastructure. We have an offline root ca and an enterprise subordinate CA running on windows 2012 r2.
I want to verify the health of the pki.
1.      Is the root CA certificate valid
2.      Is the root CRL still valid
3.      Is the subordinate CA certificate valid,
4.      Is the subordinate CA CRL still valid.
Certificates issued earlier and were working fine are now showing errors like “revocation check failed”.
How do I verify the PKI components are healthy and are valid.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Robert RComputer Service Technician

open up a command prompt as an administrator and type
certutil -verifyStore MY

MY verb tells the certutil utility to check the certificates in the personal certificate store of the account that's executing the command.


we requested a certificate for our exchange servers from our subordinate CA and after we installed it , we see in the console " revocation check failed". when open the certificate on the certificate path tab of the certificate it shows the status of the certificate is OK but has a warning or a yellow exclamation at the root CA level.

the General tab of the certificate displays a message like below:

"This certificate validates to a root certificate that appears to be trusted by the remote computer. To ensure this certificate is valid on the remote computer, verify this certificate on that computer"

how can I get over this. is it due to the root CA certificate or should I get a new CRL from the root CA and install it. it is a big process to get the root CA as this is not in our control and have to reach out to the head office.

I will contact them only when I am sure it has something to do with the root CA.

the by far easiest way is this gem of a tool

start - run - pkiview.msc
gives you an updated view and health of all PKI infrastructures you have in your organization
Should you be charging more for IT Services?

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Do you have a proxy server on your exchange server? that can cause revocation check to fail.
looks to be for Exchange 2010 -


its an internal CA and exceptions are configured in the IE


Did you check pkiview.msc?


the PKIView results as below

NTAuthCertificate: we have the subordinate CA server with a status  of OK

AIA Container: Two certificates both  Subordinate CA with a status of OK

CDP Container: Root CA Delta CRL: Expired
                             Root CA Base CRL: OK
                              Subordinate CA Delta CRL: Expired
                              Subordinate CA Base CRL: OK

Certificate Authority Container: Root CA server with status of OK

Enrollment Services Container: Sub CA with status of:  Unknown Error

I have also noticed that when I publish a new CRL a new file is not being created in the certenroll folder.

OK - you may have problems with your delta CRLs. You could might as well skip Delta CRLs all together. But to fix this - look into this.

In SubOrdinate CA - go to Certification Authority and right click Certificate Atuhority and choose Properties. Go to Extensions and look how CRLs are to be published. For the location of the expired DeltaCRLs - make sure it is checked that it is used to published DeltaCRLs. Also - make sure CRL is published to the same paths as it is shown in pkiview.msc

right click Revoked Certificates and choose Publish.

Do the same for Root CA.

you can post screenshots of pkiview.msc or extensions if you need more detailed instructions :-)


the snspshot of the errors in PKI view attached.

the client certificates are expiring and I seem to have issue with autoenrollment also. moreover, when I try to publish a new CRL the CRL file is not created in the certenroll folder. I wanted to generate a new CRL and publish it in the AD using the command

certutil –CRL

and then publish to AD using the command

certutil -dspublish -f -dc ""

any help is appreciated
take a look at certification authority - extensions: 
look at all CRL publication paths
is c:\windows\system32\certsrv\certenroll listed and is it checked for publish CRL to this location ?

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial