I know we can clear the CRL Cache in Windows Server 2008 using the certification authority UI. However, I want to automate the process and therefore looking a way to do it from command line. Is it possible using certutil or any other default utilities in windows?
Regards,
Andy
Best Answer
To get a client cache to refresh, the CRL would need to expire - there's no way to 'push' notification that a client needs to get a new CRL from the CA side. You can certainly set the CRL to expire very quickly, but that's a bit counter-intuitive, as the full CRL would need to be downloaded very frequently by every client.
A more appropriate solution (or rather, solutions that were essentially built for this specific case) would be to publish fast-expiring delta CRLs (so that clients can grab a very small file and still be up to date with recent revocations - potential delay times will range up to the delta CRL interval) or an OCSP responder (which will have revocation information instantly).
If it would be possible for you to implement one of those solutions, then that's what I'd suggest - otherwise, you may simply be stuck with a very-quickly-expiring main CRL.