3rd party CA's CRL cache in domain controller?

[Tero]

Hi,

We are using 3rd party CA in our environment and are using the certificates
e.g. in smart card logon.
We have sometimes situation that the connection to LDAP of the CA where the
CRL is distributed is broken. The validity time of CRL is 1 hour. Because of
this problem we are planning to increase the validity time of the CRL.
The question is that how long does the domain controller (Win 2003 Server)
keep the CRL in cache and where the cache is located?

Thank you,
Tero

 

[Jan Liikamaa]

It keeps the CRL in the cache until the NextUpdate value defined in the CRL.
CRL files are cached among the temporary internet files. Run "certutil
-urlcache CRL" to see your cached CRL:s.

"Tero" wrote:

> Hi,
>
> We are using 3rd party CA in our environment and are using the certificates
> e.g. in smart card logon.
> We have sometimes situation that the connection to LDAP of the CA where the
> CRL is distributed is broken. The validity time of CRL is 1 hour. Because of
> this problem we are planning to increase the validity time of the CRL.
> The question is that how long does the domain controller (Win 2003 Server)
> keep the CRL in cache and where the cache is located?
>
> Thank you,
> Tero

 

[Jan Liikamaa]

Run "certutil -v -urlcache CRL" to get more verbose information about
location.

"Tero" wrote:

> Hi,
>
> We are using 3rd party CA in our environment and are using the certificates
> e.g. in smart card logon.
> We have sometimes situation that the connection to LDAP of the CA where the
> CRL is distributed is broken. The validity time of CRL is 1 hour. Because of
> this problem we are planning to increase the validity time of the CRL.
> The question is that how long does the domain controller (Win 2003 Server)
> keep the CRL in cache and where the cache is located?
>
> Thank you,
> Tero