I recently migrated my 2008 R2 Enterprise Root CA to 2012 keeping the same host name and CA name. I ran into a few issues at first with errors in the event logs which were resolved by giving the computer account full access to the CDP and AIA containers in AD even though the Microsoft documentation says this isn't required unless the computer name changed. Of course this doesn't make sense considering they require that you delete the computer account and then join the new CA with the same computer name (SID changes).
The issue I'm running into now is regarding CRLs. The CA is generating new CRLs automatically (pkiview.msc shows everything healthy), however if I revoke a certificate, wait for the Delta CRL to expire, and view the certificate on a server with MMC -> Certificates, it still shows as valid. The only way the certificate stops working is if I check "Check for server certificate revocation" in IE and browse to the site. Is this intentional? I was assuming if a server downloads the latest Delta CRL, it would show as revoked in the Certificates MMC when I view the certificate, and when I browse to a site whether or not the "Check revocation status" is checked in IE.
What is the expected behavior? Is there a way to view the current CRL cache on a server?