• How revocation works and publishing a CRL ?
• Fix the issue of an expired CRL on a root CA

8. Test the validity of the paths present in the CDP and AIA extensions of the certificates (via certutil)

To test the validity of the access paths present in the CDP and AIA extensions of your certificates from any server or computer, you can use the tool : certutil.
However, for this you will need a recent certificate where the new paths (CDP and AIA) have been included.

In our case, we will use the certificate that we issued to our web server after adding the paths in HTTP.

Launch a command prompt and use the command below, adapting the path of the certificate you want to test :

certutil -url C:\Users\Administrator.INFORMATIWEB\Documents\web.cer

Although "certutil" is a command line tool, you will see that this time, an "URL Retrieval Tool" window will appear.
At the bottom left of this window, you will see the subject (common name) of the certificate referenced in the command executed previously.

To test access to the certificate revocation lists of this certificate from the server or computer where you are, specify an expiration time on the left (3 seconds is sufficient locally) and select the "CRLs (from CDP)" option (bottom right), then click on : Retrieve.

Certutil will detect the URLs present in the "CRL Distribution Points" (CDP) extension of your certificate and test if it can access them.
If the status is "Verified", it's good.

If not, verify that the detected path is correct and verify that you can access it from this server or computer.

Important : if one of the URLs is incorrect and you correct it via the "Extensions" tab of the properties of your certification authority, remember that you will have to regenerate the certificate concerned so that the new access paths are present in the CDP extension of this certificate.

You can also detect and test the URLs present in the "Authority Information Access" (AIA) extension of your certificate by selecting "Certs (from AIA)", then clicking again on : Retrieve.

This URL Retrieval Tool will detect the AIA paths present in the desired certificate and test if it can access these URLs.
If this tool can access these URLs, the status will be "Verified".

9. Test the validity of the paths present in the CDP and AIA extensions of the certificates (via the PKI Enterprise component)

On your certification authority, you can graphically test the CDP and AIA URLs configured in its extensions by launching a "mmc" console.

In the console that appears, click : File -> Add/Remove Snap-in.

Select the "Enterprise PKI" component and click : Add.

Note : this snap-in corresponds to the "pkiview.msc" file.

Then, click OK.

This "Enterprise PKI" component will automatically test access to the different locations configured in your CA extensions :

• CA Certificate
• AIA Location #1 and #2
• CDP Location #1 and #2
• DeltaCRL Location #1