First published on TECHNET on Sep 13, 2007
By default, Windows is caching Certificate Revocation Lists (CRL) and CA certificates to quickly verify certificate chains. The downside of this behavior is that a newer CRL is not picked up by the client until the locally cached CRL has expired.
Windows versions before Windows Vista do not support deletion or a forced update of the CRL cache.
You can view what is in your current CRL cache with the following command:
certutil -URLcache CRL
On Windows Vista, CAPI 2.0 has support to set a expiry date for the CRL and OCSP cache. You can use certutil to set a date and time when all cache entries become invalid. The following commands require administrative permission on the system.
To see when the cache was invalidated the last time, perform this command:
certutil –getreg chain\ChainCacheResyncFiletime
Note: If the ChainCacheResyncFiletime was never set manually before, the registry key does not exist and the following error message is shown:
CertUtil: -getreg command FAILED: 0x80070002 (WIN32: 2)
CertUtil: The system cannot find the file specified.
The error can be ignored because default CRL caching takes place in this case.
If the @now parameter is used, all cached entries are invalidated immediately.
certutil -setreg chain\ChainCacheResyncFiletime @now
To disable temporarily the cache until after now plus 3 days and 6 hours, use this command. Setting the registry value to a future date implies that no cache entries will be used until after the date specified. The value of such a configuration is questionable.
certutil –setreg chain\ChainCacheResyncFiletime @now+3:6
To delete a registry value:
certutil –delreg chain\ChainCacheResyncFiletime