Disclaimer: All postings are provided "AS IS" with no warranties, and confer no rights. This weblog does not represent the thoughts, intentions, plans or strategies of Microsoft. Because a weblog is intended to provide a semi-permanent point-in-time snapshot, you should not consider out of date posts to reflect current thoughts and opinions.
First of all; PKI is easy once you understand the basic principles. Don't give up :)
When troubleshooting PKI, the key point to understand what operation each of the parties involved does in order to determine where the point of failure is.
Most PKI cases I've handled over the years boil down to one of four things:
A simple rule of thumb is that servers verify client certificates - clients verify server certificates. It's therefore vital to look at the certificates from the POV of the entity doing the verification.I.e. export the certificate and do checks on it on the other side of the conversation. Verifying the server certificate should be done from the client, verifying the client certificate should be done from the server.
For example: Certutil -v -verify -urlfetch <exportedcert.cer> to check on the revocation status of an exported certificate.
Troubleshooting PKI problems on Windowshttp://social.technet.microsoft.com/wiki/contents/articles/troubleshooting-pki-problems-on-windows.aspx
Appendix C: Certificate Revocation Referenceshttp://technet.microsoft.com/en-us/library/ee619758(WS.10).aspx