Forcing the Expiration of Locally Cached Certificate Revocation Lists

You can delete or invalidate locally cached certificate revocation lists (CRLs) so that the public key infrastructure client downloads more recent CRLs.

Jan De Clercq

December 5, 2014

1 Min Read
Windows Gatekeeper QAs
Windows Gatekeeper Q&As

Q: To speed up certificate verification, the Windows public key infrastructure (PKI) client caches certificate revocation lists (CRLs) locally. This means that a more recent CRL isn't downloaded until the locally cached CRL has expired. Is there a way to force the expiration of locally cached CRLs so that the PKI client downloads more recent CRLs?

A: Microsoft provides two mechanisms you can use. You can either delete the locally cached CRLs or invalidate them. Both mechanisms will make the PKI client download a new CRL when a certificate must to be verified. Both mechanisms rely on the Certutil command-line utility, which is available on every Windows system.

You can delete the CRL cache using the certutil command:

certutil -urlcache crl delete

To invalidate the CRLs in the cache, you can set an expiration date for the cached CRLs. To immediately invalidate all CRLs in the cache, you can use the certutil command:

certutil -setreg chainChainCacheResyncFiletime @now

To invalidate the CRLs at a future time, you can use a certutil command like this:

certutil –setreg chainChainCacheResyncFiletime @now+1:4

In this case, the CRLs will be invalidated in 1 day and 4 hours from the moment you run the command.


Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like