Using the Certutil Utility to Check Cached CRL and OCSP Responses

Q: Where can I find the certificate revocation list (CRL) and Online Certificate Status Protocol (OCSP) responses that are cached on my system's hard disk? How can I easily view and manipulate the content of a user's disk cache?

A: The user-specific CRL cache on a system's hard disk can be found in every user's profile folder underneath the %APPDATA%MicrosoftCryptnetUrlCache folder. For the Windows System user profile, the CRL disk cache can be found in %WINDIR%System32configSystemProfileApplication DataMicrosoftCryptnetUrlCache. (If you're unfamiliar with these CRL caches, see "Understanding the Caching Mechanisms Used During Certificate Validation.")

To view and manipulate the content of the user-specific CRL cache on disk, you can use the Certutil command-line utility. Specifically, you need to use the certutil command with the -urlcache switch. For example, to display the content of your user account's CRL disk cache, you run the command:

certutil -urlcache CRL

To display the content of the OCSP disk cache, you use the command:

certutil -urlcache OCSP

To remove a CRL named from the disk cache (where CRLFILE will have a *.crl file extension), you run the command:

certutil -urlcache  delete

To remove all CRLs from the disk cache, you use the command:

certutil -urlcache CRL delete

To remove all OCSP responses from the disk cache, you run the command:

certutil -urlcache OCSP delete

Note that Certutil can only look at the cache content of the user account with which you logged on. If you want to look at the cache content of another user account, you must use the runas command or log on to Windows using that account.