Certificate Revocation Cache

How do I force propagation of changes to information about a certificate revocation list after an update?

A service is going to have several kinds of caching around the information that links the certificate to revocation information.

The first kind of caching is based on the revocation mode of the certificate. A revocation mode of NoCheck disables checking on the certificate while a revocation mode of Offline directs checking to use a cached certificate revocation list. A revocation mode of Online gets the freshest data.

The second kind of caching is at the service process. Information is stored in memory as long as the process continues to run to reduce the number of active checks required. This memory cache is cleared when the process restarts.

The third kind of caching is at the machine. Information is cached by the machine for a limited time to again reduce the number of active checks required. The machine cache can be viewed by running "certutil -urlcache" and the same command is used to delete or force updating of specific cache entries.

Next time: Getting Rid of Namespaces

Comments

• Anonymous
  August 07, 2008
  It's bad practice to use system types when defining an operation contract. A system type is often a complex