How Do I Completely Disable Certificate Revocation List (CRL) Checking? RRS feed

  • Question

  • I found some instructions for accomplishing this task but they didn't fully work.

    These are the instructions:
    1. Control Panel --> Internet Options --> Advanced
    2. Scroll down to the Security section
    3. Uncheck the box next to "Check for publisher's certificate revocation"
       Uncheck the box next to "Check for server certificate revocation"
       Uncheck the box next to "Check for signatures on downloaded programs"
    4. click OK
    5. Restart your computer

    The instructions did indeed put an end to most CRL checking, but I've discovered that, most of the time, when I open Steam (the digital distribution software made by Valve Corporation), CRL checking attempts are still made.
    More specifically, CryptSvc attempts to connect to the Microsoft CRL server (crl.microsoft.com) via svchost.exe, and issues the following:
    GET /pki/crl/products/tspca.crl
    GET /pki/crl/products/MicCodSigPCA_2010-07-06.crl
    GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl

    Sunday, February 12, 2017 4:18 PM


All replies

  • Hi VeganMetropolis,

    Certificate Revocation List (CRL) a list of digital certificates that can check if the current program you are running should to be trusted or not.
    Microsoft not recommend to disable CRL checking, that would make your device fall into a risk Environment.

    In addition, every software has it’s CRL checking ways. Windows has no central switch that would turn off CRL checking for all.

    If you want to disable CRL checking,  there is a link for reference:

    Best regards,

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Joy-Qiao Wednesday, February 15, 2017 10:05 AM
    • Marked as answer by VeganMetropolis Tuesday, February 21, 2017 2:43 PM
    Tuesday, February 14, 2017 9:13 AM
  • Thanks for the risk warning but I'm more concerned about my OS constantly using svchost to sneak communications with various servers, and the associated trust violation, security alerts and program startup delays.
    Because CryptSvc has been the primary offender, I just ended up deleting cryptsvc.dll. This has caused some odd behavior when viewing certain web pages in the Steam browser but, other than that, it has thus far proven to be an easy and acceptable solution.

    Thank you for the informative link though. In the future, when I have some free time, I'll use the information to try to establish an alternative to deleting/renaming cryptsvc.dll.

    Tuesday, February 21, 2017 2:41 PM