I am trying to change the CDP locations for our Issuing CA (Server 2008 R2). We are publishing to LDAP and HTTP succesfully. I have updated the CDP locations in the extensions tab for the CA, and verified with certutil -getreg that those locations (in addition to the local publish-to-self location) are the only locations configured. Yet, when I view the CA with PKIView, it still shows the old CDP location, in addition to the new locations. I see no reference to the old location anywhere else. I have restarted certificate services, rebooted, flushed mmc files, and checked the exchange certificate (which does not list this old CDP location). Where could PKIView be pulling the old CDP location from? Thanks, Daniel

Thank you for your quick and helpful responses Brian and Hasain. They are greatly appreciated. Unfortunately, the exchange certificate does not seem to be the issue (or I am doing something silly here, which I hope to be the case). I had already run certutil -cainfo xchg. I have manually inspected the CDP extension in that certificate, and the locations are correct. Running certutil -getreg ca\crlpublicationurls shows the correct locations. Yet, PKiView still shows an extra, incorrect location. Is there anywhere else this could be coming from? Is there anything else I should check? As an aside, is the Windows PKI blog post Quick Check on ADCS Health Using Enterprise PKI Tool (PKIVIEW) incorrect? It clearly states that PKIView in 2008 AD CS does not use the exchange certificate: "The AIA and CDP distribution points for the online CAs are gathered by contacting the online CAs directly. This is different than the PKIVIEW tool behavior in Windows 2003 PKI, which relied on a CA Exchange certificate with a validity period of 1 week to gather the CDP and AIA distribution points of an issuing CA. ... Running Enterprise PKI in Windows 2008 will still create the CA Exchange certificate, although as stated before, it is not used by the tool."

On my W2K8 R2 intermediate CA, under Issued Certificates, the newest CA Exchange certificate was expired. On my Win7 workstation, in the Enterprise PKI snap-in (PKIView.msc), the AIA and CDP info for that CA was missing. Normally when I click the name of the CA in the left (tree view) pane, it shows in the right (details) pane, the names of the CA's subordinate CA servers (one line each); the CA's certificate (one line); and then four additional lines (one LDAP URL and one HTTP URL for both the AIA and the CDP locations). Those last four lines were just not there. I ran "certutil -cainfo xchg" (thanks B.K.) on the CA to create a new (time valid) Xchg certificate, but I got an error stating that the current user does not have permission to enroll for certificates on the CA server. In the Certificates Services snap-in, I right-clicked the name of the CA in the left pane, and selected Properties, Security tab. Sure enough, Authenticated Users had been removed, and the group containing the account I was using did not have Allow - Request Certificates. I checked that block and then ran "certutil -cainfo xchg" again, and it worked. It output the blob that is the new certificate. When I went back to PKIView, the AIA and the CDP lines were there, and they were correct! If you want to tighten security on your CA server, use caution. It's pretty easy to break things. Also, to me, this confirms that PKIView still uses the CA Exchange certificate.