Disabling Certificate Revocation List (CRL) Caching on IIS 10.0

Background

Hello, community members!

I am trying to disable CRL caching on IIS 10.0 in order to be able to fetch updated version of CRL each time I make a request to my website. It is required for development purposes: I revoke or un-revoke client certificate, publish latest CRL on my CA and want IIS to check the latest information.

Setup

What I completed as a setup step:

1. Exported root CA certificate and installed it on my computer by following these articles: https://learn.microsoft.com/en-us/troubleshoot/developer/webapps/iis/health-diagnostic-performance/http-403-forbidden-access-website and https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/export-root-certification-authority-certificate.
2. Set "Accept" for client certificates on IIS.
   
3. Checked following materials about IIS CRL settings:  CRL checking by IIS - Microsoft Community Hub, https://learn.microsoft.com/en-us/windows/win32/api/http/ns-http-http_service_config_ssl_param, https://learn.microsoft.com/en-us/archive/blogs/kaushal/disable-client-certificate-revocation-crl-check-on-iis.

Actions

What I am trying to do to disable CRL caching on IIS:

1. Delete existing SSL binding for my website: netsh http delete sslcert ipport=0.0.0.0:3010.
2. Add binding which tells IIS to download CRL each 10 seconds and not to cache it (see bold text): netsh http add sslcert ipport=0.0.0.0:3010 certhash=SOME_VALUE appid={SOME_VALUE} certstorename=My verifyclientcertrevocation=enable revocationfreshnesstime=10 urlretrievaltimeout=30000. Bold text parameters mean that we enable CRL checking, refresh CRL each 10 seconds and set HTTP timeout for CRL download to 30 seconds (30000 milliseconds).
3. Verify that the information has been updated.
   
   If CertCheckMode is set to 4, certificate revocation verification will be done by downloading the remote CRL, even if we have the valid cached CRL on the server. It ignores the cached CRL completely.
4. Restart IIS or reboot the machine: iisreset.
5. Clear CRL cache: certutil -urlcache crl delete.
6. Publish new CRL and verify that it doesn't contain our certificate.
7. Send not revoked certificate: 403 status has been returned by IIS. This means that IIS uses cached CRL and above-mentioned settings for IIS doesn't work.
   
   
8. If I disable CRL checking it works: verifyclientcertrevocation=disable.
9. CRL is reachable.
   

Question

What settings should I change in order to disable CRL caching on IIS 10.0? I want IIS to download CRL each time I make a request to it.