none
How to force windows client to wipe local CRL cache and fetch new CRL

    Question

  • Hi, I am doing some testing with CRL revocation.

    I have a CRL policy of 7 days and Delta CRL of 1 day currently configured.

    I have revoked a computer authentication certificate yesterday for a Windows 7 PC and am trying to figure out how to force the client to wipe its CRL and Delta CRL and fetch a new CRL (ideally just the Delta CRL) which should invalidate the local certificate immediately, this is for testing purposes and to help tune my CRL policy.

    I have manually re-created a Delta CRL on the Issuing CA and the revoked certificate serial number is visible in the Delta CRL (not the base).

    On the Windows 7 client, I have tried deleting the local CRL and Delta CRL cache by deleting these folders and running these commands from the limited documentation I have found on the internet for this matter, but the Windows 7 client certificate is still valid.

    Delete: %APPDATA%\Microsoft\CryptnetUrlCache
    Delete:  %WINDIR%\System32\config\SystemProfile\AppData\*\Microsoft\CryptnetUrlCache
    Run command: Certutil –urlcache * delete

    Reboot ..

    Is there anything else I can do to force a Windows 7 machine to immediately invalidate the revoked certificate using CRL and Delta CRL ? I am aware of OCSP, I just wish to over-ride CRL and cannot find much documentation on the topic.

    • Edited by Nullsec Tuesday, September 25, 2012 12:38 AM
    Tuesday, September 25, 2012 12:28 AM

Answers

  • What is your truly expected time for revocation recognition. Once you have that decided, then you should adjust your CRL (base and delta) crl publication interval to match the required timings. Do not depend on deleting the cache. Even with the details I am providing in this post, you are not guaranteed to clear the CRL cache because an app could have a thread connected to the CRL preventing deletion.

    In this whitepaper that I wrote with Yogesh Mehta (http://www.microsoft.com/en-us/download/details.aspx?id=5493 or http://technet.microsoft.com/en-us/library/ee619754%28v=ws.10%29.aspx) we cover the way to cause Vista (and Windows 7) to clear the cache. In the section titled "Flushing the Memory Cache", you will see that you can clear the cache by running certutil -setreg chain\ChainCacheResyncFiletime @now at an Admin command prompt.

    The commands you were trying to run are more XP specific and are not guaranteed to work.

    Brian


    • Proposed as answer by Brian Komar [MVP] Tuesday, September 25, 2012 12:02 PM
    • Marked as answer by 朱鸿文 Thursday, September 27, 2012 2:09 AM
    Tuesday, September 25, 2012 4:30 AM

All replies

  • What is your truly expected time for revocation recognition. Once you have that decided, then you should adjust your CRL (base and delta) crl publication interval to match the required timings. Do not depend on deleting the cache. Even with the details I am providing in this post, you are not guaranteed to clear the CRL cache because an app could have a thread connected to the CRL preventing deletion.

    In this whitepaper that I wrote with Yogesh Mehta (http://www.microsoft.com/en-us/download/details.aspx?id=5493 or http://technet.microsoft.com/en-us/library/ee619754%28v=ws.10%29.aspx) we cover the way to cause Vista (and Windows 7) to clear the cache. In the section titled "Flushing the Memory Cache", you will see that you can clear the cache by running certutil -setreg chain\ChainCacheResyncFiletime @now at an Admin command prompt.

    The commands you were trying to run are more XP specific and are not guaranteed to work.

    Brian


    • Proposed as answer by Brian Komar [MVP] Tuesday, September 25, 2012 12:02 PM
    • Marked as answer by 朱鸿文 Thursday, September 27, 2012 2:09 AM
    Tuesday, September 25, 2012 4:30 AM
  • Thanks Brian
    Tuesday, September 25, 2012 6:19 AM