Hello,

There are several tools you can use to troubleshoot certificate validation. The best tool is certutil -verify -urlfetch. That tool is the best because it checks all certificates in the chain and gives us a lot of validation information. You can find information on how to use that tool, at the end of the following blog: Certificate Validation – xdot509.blog.

However, there is a GUI tool that can be used: certutil -url. The disadvantage to this tool is that it just checks one certificate at a time and mostly provides information on the accessibility of CDP, AIA, and OCSP. So, if you just want to check that your repositories are accessible this is a good way to perform that check. It is also easier to understand the output form this tool, which can make it easier for you to communicate your issue to your colleagues when you are troubleshooting.

To run the command, you first need a certificate file. So, you can export the certificate and save it to a file location. If it is a website you are having trouble with you can export the cert from the lock icon in the browser.

The syntax of the command is: certutil -url <Certificate File Name>, where <Certificate File Name> is the certificate file you previously exported. This will launch the GUI.

The tool is pretty self-explanatory, but the graphic below provides some additional information.

If you click Certs (from AIA) and click Retrieve it will verify that it can retrieve the certificates from the AIA repository and that they are the correct certificates.

If you select CRLs (from CDP) and click Retrieve it will verify that it can retrieve the certificates from the AIA repository and that they are the correct certificates.

And finally, you can select OCSP (from AIA) and click Retrieve it will verify that OCSP is working

Hopefully, this helps.

-Chris