I am trying to change the CDP locations for our Issuing CA (Server 2008 R2). We are publishing to LDAP and HTTP succesfully. I have updated the CDP locations in the extensions tab for the CA, and verified with certutil -getreg that those locations (in addition to the local publish-to-self location) are the only locations configured. Yet, when I view the CA with PKIView, it still shows the old CDP location, in addition to the new locations. I see no reference to the old location anywhere else. I have restarted certificate services, rebooted, flushed mmc files, and checked the exchange certificate (which does not list this old CDP location). Where could PKIView be pulling the old CDP location from? Thanks, Daniel

PKIView gets the information about CDP & AIA from a CA Exchange certificate with a short validity period issued by the CA in focus. To force the tool to update its CA Exchange certificate you simply need to revoke that certificate and refresh/restart the tool. /Hasain

Adding to Hasain's excellent answer, you can force issuance of a new CA Exchange certificate by running certutil -cainfo xchg on the issuing CA in an administrative command prompt. No need to restart the tool Brian

Thank you for your quick and helpful responses Brian and Hasain. They are greatly appreciated. Unfortunately, the exchange certificate does not seem to be the issue (or I am doing something silly here, which I hope to be the case). I had already run certutil -cainfo xchg. I have manually inspected the CDP extension in that certificate, and the locations are correct. Running certutil -getreg ca\crlpublicationurls shows the correct locations. Yet, PKiView still shows an extra, incorrect location. Is there anywhere else this could be coming from? Is there anything else I should check? As an aside, is the Windows PKI blog post Quick Check on ADCS Health Using Enterprise PKI Tool (PKIVIEW) incorrect? It clearly states that PKIView in 2008 AD CS does not use the exchange certificate: "The AIA and CDP distribution points for the online CAs are gathered by contacting the online CAs directly. This is different than the PKIVIEW tool behavior in Windows 2003 PKI, which relied on a CA Exchange certificate with a validity period of 1 week to gather the CDP and AIA distribution points of an issuing CA. ... Running Enterprise PKI in Windows 2008 will still create the CA Exchange certificate, although as stated before, it is not used by the tool."

It is supposed to be true, but out in the real world, I have had to recycle the Xchg certificate for OCSP URL updating. I think it is more likely that *one* certificate needs to be issued after the configuration change Have you tried PKIView on any other computers? Brian

It is supposed to be true, but out in the real world, I have had to recycle the Xchg certificate for OCSP URL updating. I think it is more likely that *one* certificate needs to be issued after the configuration change Have you tried PKIView on any other computers? Brian