Forcing the Expiration of Locally Cached Certificate Revocation Lists

Q: To speed up certificate verification, the Windows public key infrastructure (PKI) client caches certificate revocation lists (CRLs) locally. This means that a more recent CRL isn't downloaded until the locally cached CRL has expired. Is there a way to force the expiration of locally cached CRLs so that the PKI client downloads more recent CRLs?

A: Microsoft provides two mechanisms you can use. You can either delete the locally cached CRLs or invalidate them. Both mechanisms will make the PKI client download a new CRL when a certificate must to be verified. Both mechanisms rely on the Certutil command-line utility, which is available on every Windows system.

You can delete the CRL cache using the certutil command:

certutil -urlcache crl delete

To invalidate the CRLs in the cache, you can set an expiration date for the cached CRLs. To immediately invalidate all CRLs in the cache, you can use the certutil command:

certutil -setreg chainChainCacheResyncFiletime @now

To invalidate the CRLs at a future time, you can use a certutil command like this:

certutil –setreg chainChainCacheResyncFiletime @now+1:4

In this case, the CRLs will be invalidated in 1 day and 4 hours from the moment you run the command.