Retrieving CRL URI

Nov 17, 2015 at 2:28 PM
I am trying to use PSPKI ( to examine my PKI's CDPs (to alert when the CRLs need renewing) but am running into some fairly basic issues.

When retrieving the default CA details, the CRL URIs are not returned:
Get-CertificationAuthority | Format-List -Property *
The value for 'BaseCRL' is blank.

If using the Get-CRLDistributionPoint cmdlet, URIs are returned, but they contain variable names, as per the Extensions tab of the CA properties in the Certification Authority MMC snap-in.:
Get-CertificationAuthority |  Get-CRLDistributionPoint | Select-Object -ExpandProperty URI

RegURI           : 65:C:\WINDOWS\system32\CertSrv\CertEnroll\%3%8%9.crl
ConfigURI        : 65:C:\WINDOWS\system32\CertSrv\CertEnroll\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
UrlScheme        : Unknown

RegURI           : 0:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10
ConfigURI        : 0:ldap:///CN=<CATruncatedName><CRLNameSuffix>,CN=<ServerShortName>,CN=CDP,CN=Public Key
UrlScheme        : LDAP

RegURI           : 134:http://ca.domain.local/CertEnroll/%3%8%9.crl
ConfigURI        : 134:http://ca.domain.local/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
UrlScheme        : HTTP
Is there any way of retrieving the actual published path of the CRL to feed into Get-CRL?

Many thanks, Doc.
Nov 18, 2015 at 2:17 PM
There is a ProjectedURI property:
Somehow I don't see it in your output. Are you sure that you are using the latest module version?

In addition, make sure if IsAcessible property in the Get-CA command's output is set to True.
Nov 23, 2015 at 1:16 PM
Edited Nov 23, 2015 at 1:18 PM
Camelot, I'm sure that the ProjectedURI attribute wasn't visible previously, but it is now(!)

I'm not sure what caused this - I was using PSPKI v3.1.0.0 previously, but my laptop's hard drive failed since I posted the question and I have had to reinstall everything onto a replacement. In addition, we've been upgrading our PKI too. It's also possible that the problem lies between the keyboard and screen!

Thanks for your help, Doc.

Edited to add: the BaseCRL attribute returned by the GetCA command is no longer blank but set to "System.Security.Cryptography.X509Certificates.X509CRL2" so something has definitely changed in somewhere...