I recently published an updated CRL for my offline root CA to AD as well as to the CDPs and wanted to verify that everything is working correctly. Of course you can use the command line version
certutil -verify filename.cer will validate it. But running certutil -URL https://foo will bring up a UI. Then clear out the URL, select a certificate issued by the CA you are trying to check the CRLs for and you can clear out the URL, or alternatively give a URL that has a certificate from the chain you are trying to validate
Reference: https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/
Relevant Security 