Windows PKI blog

News and information for public key infrastructure (PKI) and Active Directory Certificate Services (AD CS) professionals

How to refresh the CRL cache on Windows Vista

How to refresh the CRL cache on Windows Vista

  • Comments 2
  • Likes

By default, Windows is caching Certificate Revocation Lists (CRL) and CA certificates to quickly verify certificate chains. The downside of this behavior is that a newer CRL is not picked up by the client until the locally cached CRL has expired.

 

Windows versions before Windows Vista do not support deletion or a forced update of the CRL cache.

 

You can view what is in your current CRL cache with the following command:

certutil -URLcache CRL

 

On Windows Vista, CAPI 2.0 has support to set a expiry date for the CRL and OCSP cache. You can use certutil to set a date and time when all cache entries become invalid. The following commands require administrative permission on the system.

 

To see when the cache was invalidated the last time, perform this command:

certutil –getreg chain\ChainCacheResyncFiletime

 

Note: If the ChainCacheResyncFiletime was never set manually before, the registry key does not exist and the following error message is shown:

CertUtil: -getreg command FAILED: 0x80070002 (WIN32: 2)

CertUtil: The system cannot find the file specified.

The error can be ignored because default CRL caching takes place in this case.

If the @now parameter is used, all cached entries are invalidated immediately.

certutil -setreg chain\ChainCacheResyncFiletime @now

 

To disable temporarily the cache until after now plus 3 days and 6 hours, use this command. Setting the registry value to a future date implies that no cache entries will be used until after the date specified. The value of such a configuration is questionable.

certutil –setreg chain\ChainCacheResyncFiletime @now+3:6

 

To delete a registry value:

certutil –delreg chain\ChainCacheResyncFiletime

Comments
  • How to refresh the CRL cache on Windows Vista

  • VPN Reconnect in Windows 7 RC- redux

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment