When trying to upload a certificate into PAM any related CRLs must be uploaded first.
This issue arose with PAM 2.8.3, but would apply to any PAM version, and could also apply to any product requiring a certificate be loaded.
The CRL referenced in a certificate must be uploaded before the certificate itself may be uploaded. The correct CRL must be identified and uploaded, before the certificate may be uploaded. Open the certificate with a program that can show you the details of the certificate in a human readable format. One such program is Windows Crypto Shell Extensions. The program will display 3 tabs; General, Details, and Certification Path. In this case look at the Details tab. Scroll down until the line titled CRL Distribution Points is displayed, and click on that line. One or more locations for retrieving the CRL will be displayed; for example a url specifying HTTP or LDAP. Use that URL to retrieve the CRL and load it into PAM. Once that is done the certificate itself may be uploaded.