Hi, I am doing some testing with CRL revocation. I have a CRL policy of 7 days and Delta CRL of 1 day currently configured. I have revoked a computer authentication certificate yesterday for a Windows 7 PC and am trying to figure out how to force the client to wipe its CRL and Delta CRL and fetch a new CRL (ideally just the Delta CRL) which should invalidate the local certificate immediately, this is for testing purposes and to help tune my CRL policy. I have manually re-created a Delta CRL on the Issuing CA and the revoked certificate serial number is visible in the Delta CRL (not the base). On the Windows 7 client, I have tried deleting the local CRL and Delta CRL cache by deleting these folders and running these commands from the limited documentation I have found on the internet for this matter, but the Windows 7 client certificate is still valid. Delete: %APPDATA%\Microsoft\CryptnetUrlCache Delete: %WINDIR%\System32\config\SystemProfile\AppData\*\Microsoft\CryptnetUrlCache Run command: Certutil urlcache * delete Reboot .. Is there anything else I can do to force a Windows 7 machine to immediately invalidate the revoked certificate using CRL and Delta CRL ? I am aware of OCSP, I just wish to over-ride CRL and cannot find much documentation on the topic.

What is your truly expected time for revocation recognition. Once you have that decided, then you should adjust your CRL (base and delta) crl publication interval to match the required timings. Do not depend on deleting the cache. Even with the details I am providing in this post, you are not guaranteed to clear the CRL cache because an app could have a thread connected to the CRL preventing deletion. In this whitepaper that I wrote with Yogesh Mehta (http://www.microsoft.com/en-us/download/details.aspx?id=5493 or http://technet.microsoft.com/en-us/library/ee619754%28v=ws.10%29.aspx) we cover the way to cause Vista (and Windows 7) to clear the cache. In the section titled "Flushing the Memory Cache", you will see that you can clear the cache by running certutil -setreg chain\ChainCacheResyncFiletime @now at an Admin command prompt. The commands you were trying to run are more XP specific and are not guaranteed to work. Brian

What is your truly expected time for revocation recognition. Once you have that decided, then you should adjust your CRL (base and delta) crl publication interval to match the required timings. Do not depend on deleting the cache. Even with the details I am providing in this post, you are not guaranteed to clear the CRL cache because an app could have a thread connected to the CRL preventing deletion. In this whitepaper that I wrote with Yogesh Mehta (http://www.microsoft.com/en-us/download/details.aspx?id=5493 or http://technet.microsoft.com/en-us/library/ee619754%28v=ws.10%29.aspx) we cover the way to cause Vista (and Windows 7) to clear the cache. In the section titled "Flushing the Memory Cache", you will see that you can clear the cache by running certutil -setreg chain\ChainCacheResyncFiletime @now at an Admin command prompt. The commands you were trying to run are more XP specific and are not guaranteed to work. Brian

Thanks Brian