It appears that http://support.microsoft.com/kb/2862966 breaks the IDP extension parsing in CAPI.
Anyone else having this issue...? Applications that require hard CRL checking such as DirectAccess and RDP are broken after installing this update.
After installing this update the Cert and CRL parsing appears broken. I now have this error "No IDP Intersection" from Certutil -URL %filename%.
No IDP Intersection An IDP extension can be used to partition CRLs. When this is done, there must be some way to tell if a CRL signed by the correct CA certificate private key is covering the partition that includes a specific certificate being verified. Windows does this by comparing all the IDP extension URLs in the certificate being verified against the IDP extension URLs in the CRL being considered for use. If any URL appears in both extensions, the CRL is accepted for the certificates"partition". This is effectively an intersection operation. "No IDP Intersection" means no common URLs were found in the certificate and CRL IDP extensions.
We are removing this update from our infrastructures now to see if our PK-enabled applications will work once again. Looks like a bug... I will report back.