![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 8%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 81%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECT%3C/text%3E%3C/svg%3E)
Hello,
Thank you for posting question on Microsoft Windows Forum.
Based on your issue description, the fact is that certutil -dcinfo verify and certutil -config - -ping are successful indicates that the CA object is present in Active Directory and basic communication is working. However, pkiview.msc relies on more than just basic connectivity; it needs to be able to retrieve the actual certificates and CRLs from the published CDP and AIA locations. You can try the following potential suggested troubleshooting steps for this issue.
1.Verify DCOM Permissions:
- The PKI console uses DCOM to connect to the CA. The account running the console must have DCOM access to the CA server. Check DCOM permissions for the Certificate Services DCOM application:
- Open dcomcnfg
Navigate to Component Services > Computers > My Computer > DCOM Config
Find CertSrv Request application
- In Properties > Security:
- Ensure Local Launch and Local Activation permissions include:
- NT AUTHORITY\NETWORK SERVICE
- BUILTIN\Administrators
Intermediate CA computer account
2.Reset the MMC Console Settings:
- Close all MMC instances
- The MMC console might have corrupted settings. Reset the MMC by deleting the following file (if exists):
- %AppData%\Microsoft\MMC\pkiview.msc
- After deleting, try reopening pkiview.msc.
3.Verify Intermediate CA Certificate in AIA:
- If it is an LDAP location, it should be in CN=AIA, CN=Public Key Services, CN=Services, CN=Configuration, DC=.... If it's an HTTP location (IIS), ensure the .crt file is present in the specified web directory with correct NTFS and IIS permissions (read access for "Everyone" or "Authenticated Users," and anonymous access not blocked).
4.Verify Intermediate CA CRLs in CDP:
- For LDAP, verify the CRLs exist in CN=CDP, CN=Public Key Services, CN=Services, CN=Configuration, DC=.... For HTTP, verify the .crl files are in the web directory with proper permissions.
5.Permissions and Network Access:
- Firewall: Ensure no firewalls (Windows Firewall on the CA, domain firewall, network firewalls) are blocking HTTP (port 80) or LDAP (port 389/3268) access to the CDP and AIA locations.
- IIS (if applicable): If you're using IIS for HTTP-based CDP/AIA, ensure the anonymous authentication is enabled on the virtual directory hosting the CRLs and certificates, and that the physical path has appropriate NTFS permissions for the IIS application pool identity (or "Everyone" for testing).
- Proxy Settings: If your Intermediate CA is behind a proxy server, ensure that the proxy settings allow access to the CDP/AIA URLs. pkiview.msc runs in the context of the user or system, so proxy settings might interfere.
7.Check Event Logs:
- Open Event Viewer and navigate to:
- Applications and Services Logs > Microsoft > Windows > CertificateServicesClient
- System logs
- Look for any errors or warnings that might indicate the cause.
8.Debug PKI View:
- Run following command for logging
- mmc /trace C:\pkiview.log
- Then open pkiview.msc and inspect the log
Hope the above information is helpful!