Posto nel mio blog (perché così me lo ritrovo subito) un post (liberamente modificato) che mi è stato utile un paio di volte.
By default, Windows is caching Certificate Revocation Lists (CRL) and CA certificates to quickly verify certificate chains. The downside of this behavior is that a newer CRL is not picked up by the client until the locally cached CRL has expired.
Windows versions before Windows Vista do not support deletion or a forced update of the CRL cache.
You can view what is in your current CRL cache with the following command:
certutil -URLcache CRL
You can delete what is in your current CRL cache with the following command:
certutil -URLcache CRL delete
On Windows Vista, CAPI 2.0 has support to set a expiry date for the CRL and OCSP cache. You can use certutil to set a date and time when all cache entries become invalid. The following commands require administrative permission on the system.
To see when the cache was invalidated the last time, perform this command:
certutil –getreg chain\ChainCacheResyncFiletime
Note: If the ChainCacheResyncFiletime was never set manually before, the registry key does not exist and the following error message is shown:
CertUtil: -getreg command FAILED: 0x80070002 (WIN32: 2)
CertUtil: The system cannot find the file specified.
The error can be ignored because default CRL caching takes place in this case.
If the @now parameter is used, all cached entries are invalidated immediately.
certutil -setreg chain\ChainCacheResyncFiletime @now
To keep the cached entries for another 3 days and 6 hours, use this command:
certutil –setreg chain\ChainCacheResyncFiletime @now+3:6
To delete a registry value:
certutil –delreg chain\ChainCacheResyncFiletime