Home / server / Questions / 282935
In Process
Sasha
Asked: 2011-06-23 02:09:20 +0800 CST

Reset local Certificate Revocation List (CRL) manual

  • 772

How can I reset local CRL (in OS local cash) in Windows OS (XP, Windows 7) manual? We need to reset local CRL because otherwise the OS will use local CRL until "next update" period.

As described in "Manually publish the CRL":

Clients that have a cached copy of the previously-published CRL or delta CRL will continue using it until its validity period has expired, even though a new CRL has been published. Manually publishing a CRL does not affect cached copies of CRLs that are still valid; it only makes a new CRL available for systems that do not have a valid CRL.

windows active-directory crl

2 Answers

  1. From the “How Certificate Revocation Works” article:

    certutil -urlcache crl delete

    But there is a warning:

    It may be necessary to restart the application or even the computer in order to flush the CRL cache in Windows XP or Windows Server 2003.

    Apparently this command and other variations of it clears just the disk cache, but CRLs may also be cached in memory, so a restart of some services might be required.

    For Windows Vista (and presumably 7) a better method is suggested, which should also clear CRLs cached in memory:

    certutil -setreg chain\ChainCacheResyncFiletime @now
    • 4

  2. This command must be run both on the Domain Controller and the client machine.
    On the domain controller run: 

    certutil -setreg chain\ChainCacheResyncFiletime @now
net stop certsvc
net start certsvc

    On the client machine run: 

    certutil -setreg chain\ChainCacheResyncFiletime @now
    • 1