Resetting local Certificate Revocation List (CRL) Cache

  • In the wake of the heartbleed vulnerability, CloudFlare offered a challenge to steal their private key info from https://www.cloudflarechallenge.com. When the challenge was completed they decided to revoke the certificate which was used to secure this website. If a certificate had been revoked, your web browser should display a warning and/or block access to the website. However this didn't happen on clients where IE10 and IE11 were used to visit the website.


    Now it appears that Windows is by default caching Certificate Revocation Lists (CRL) and CA certificates to quickly verify certificate chains. The downside of this behavior is that a newer CRL is not picked up by the client until the locally cached CRL has expired.


    This means that users are vulnerable to man-in-the-middle attacks as long as the cached items haven't expired. On Windows when using IE, users can reset the cache themselves using the commands below.


    Windows XP (not tested - use at own risk)

    Code
    1. certutil -urlcache crl delete



    Windows Vista and above

    Code
    1. certutil -setreg chain\ChainCacheResyncFiletime @now


    After executing the command it may be required to restart the PC.

Share