1

I know we can clear the CRL Cache in Windows Server 2008 using the certification authority UI. However, I want to automate the process and therefore looking a way to do it from command line. Is it possible using certutil or any other default utilities in windows?

Regards,

Andy

Andy Brikshaw
  • 13
  • 1
  • 3
  • Can you clarify what you're clearing? A CRL cache is something that a client, not the CA itself, uses so that it doesn't need to grab a full CRL every time it checks a cert's validity. Do you mean clearing out a published CRL from one of the CDPs, perhaps? – Shane Madden Feb 17 '12 at 05:51
  • Hi Shane, thanks for taking a look. My intention is to make sure that when the applications starts on a client machine, then before that it clears the CRL so that it can get the up to date status of the user (under which the application is running) and see if the certificate of the user stands revoked now – Andy Brikshaw Feb 17 '12 at 07:04

1 Answers1

2

To get a client cache to refresh, the CRL would need to expire - there's no way to 'push' notification that a client needs to get a new CRL from the CA side. You can certainly set the CRL to expire very quickly, but that's a bit counter-intuitive, as the full CRL would need to be downloaded very frequently by every client.

A more appropriate solution (or rather, solutions that were essentially built for this specific case) would be to publish fast-expiring delta CRLs (so that clients can grab a very small file and still be up to date with recent revocations - potential delay times will range up to the delta CRL interval) or an OCSP responder (which will have revocation information instantly).

If it would be possible for you to implement one of those solutions, then that's what I'd suggest - otherwise, you may simply be stuck with a very-quickly-expiring main CRL.

Shane Madden
  • 114,520
  • 13
  • 181
  • 251