Any time I do 'certutil -verify -urlcache somecert.cer' I get several errors with eventid 53 in the CAPI2 log. They look like the following: - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> - <System> <Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" /> <EventID>53</EventID> <Version>0</Version> <Level>2</Level> <Task>53</Task> <Opcode>2</Opcode> <Keywords>0x4000000000000036</Keywords> <TimeCreated SystemTime="2011-04-06T11:21:34.477512000Z" /> <EventRecordID>459</EventRecordID> <Correlation /> <Execution ProcessID="2812" ThreadID="3476" /> <Channel>Microsoft-Windows-CAPI2/Operational</Channel> <Computer>CLT1.mylab.local</Computer> <Security UserID="S-1-5-21-1258787451-3675489144-1793759886-500" /> </System> - <UserData> - <CryptRetrieveObjectByUrlWire> <URL scheme="http">http://ca1.mylab.local/CertEnroll/RootCA1+.crl</URL> <Object type="CONTEXT_OID_CRL" constant="2" /> <Flags value="5" CRYPT_RETRIEVE_MULTIPLE_OBJECTS="true" CRYPT_WIRE_ONLY_RETRIEVAL="true" /> - <AdditionalInfo> <NetworkConnectivityStatus value="1" _SENSAPI_NETWORK_ALIVE_LAN="true" /> - <Action name="Call_WinHttpGetProxyForUrl"> <Error value="2F94">The Proxy Auto-configuration URL was not found.</Error> </Action> <Action name="NoProxy" /> - <Action name="Call_WinHttpGetProxyForUrl"> <Error value="2F94">The Proxy Auto-configuration URL was not found.</Error> </Action> <Action name="NoProxy" /> - <HTTPRequestHeadersInfo> <Header>GET /CertEnroll/RootCA1+.crl HTTP/1.1</Header> <Header>Accept: */*</Header> <Header>User-Agent: Microsoft-CryptoAPI/6.1</Header> <Header>Cache-Control: no-cache</Header> <Header>Pragma: no-cache</Header> <Header>Connection: Keep-Alive</Header> </HTTPRequestHeadersInfo> - <HTTPResponseHeadersInfo> <Header>HTTP/1.1 200 OK</Header> <Header>Date: Wed, 06 Apr 2011 11:21:34 GMT</Header> <Header>Content-Length: 710</Header> <Header>Content-Type: application/pkix-crl</Header> <Header>Last-Modified: Wed, 06 Apr 2011 11:17:36 GMT</Header> <Header>Accept-Ranges: bytes</Header> <Header>ETag: "cb9e543b4cf4cb1:0"</Header> <Header>Server: Microsoft-IIS/7.5</Header> <Header>X-Powered-By: ASP.NET</Header> </HTTPResponseHeadersInfo> </AdditionalInfo> - <CacheInfo lastSyncTime="2011-04-06T11:21:34.477Z"> <URLCacheResponseInfo responseType="CRYPTNET_URL_CACHE_RESPONSE_HTTP" lastModifiedTime="2011-04-06T11:17:36Z" eTag=""cb9e543b4cf4cb1:0"" /> </CacheInfo> - <RetrievedObjects> <CertificateRevocationList deltaCRL="true" fileRef="A8656886425C3907A31168D0D2FB4E4343A48341.crl" issuerName="RootCA1" /> </RetrievedObjects> <EventAuxInfo ProcessName="certutil.exe" /> <CorrelationAuxInfo TaskId="{0C2A2B94-61AE-461E-BC8B-5C22ED511AC6}" SeqNumber="3" /> <Result value="0" /> </CryptRetrieveObjectByUrlWire> </UserData> </Event> I keep seeing "The Proxy Auto-configuration URL was not found." but my lab environment doesn't require a proxy so is this something I can ignore or do I have something mis-configured? The command 'certutil -verify -urlcache' does seem to hang a couple times during the verification as if it's looking for a proxy...

Glad to say that I figured this out. It had to do with WPAD. When I would execute certutil I would notice a "hang" a couple times through the process. As soon as I disabled "WinHTTP Web Proxy Auto-Discovery Service" the hang would go away. So, I used Wireshark to see what was going on during the hang and noticed a DNS query for wpad.mylab.local followed by several NBNS packets looking for WPAD as well. So, I learned that certutil uses auto proxy discovery. After adding a wpad A record and allowing it with 'dnscmd /config /GlobalQueryBlocklist isatap' (note: this removes the 'wpad' entry, my GlobalQueryBlocklist only contained two entries; isatap and wpad) I was able to then setup an IIS server such that it would respond with javascript inside http://wpad.mylab.local/wpad.dat - don't forget to add the MIME type for wpad.dat (application/x-javascript is fine). Since I don't have the need for a proxy the javascript for my wpad.dat file looks like the following: function FindProxyForURL(url, host) { return "DIRECT"; } I no longer have event 53 in the CAPI2 logs when using certutil.