Hi all, Sometimes I need to generate a new CRL (before the renewal time). How can I force the CRL to be updated on the servers? Can I use a GPO? I don't want to change the CRL publication interval neither to use OCSP. Thanks in advance.

This is not following the RFC. The server, per the RFC, will cache the most recent CRL until it expires. The publication of a new CRL will only be recognized by clients that have not cached the previous CRL (in other words, have no cached CRL or an expired CRL in the cache). Depending on the operating system, you may be able to delete the cache, but this is not an enterprise-ready, nor scalable option. WHat is your business case? Brian

BTW, you previously asked this question and it was previously answered. http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/ca9af627-01f6-402b-ab9e-5899d7a9c30e I am sorry that you are not happy with the answer, but it is the answer. Brian

Hi, I would like to be sure that if revoke a smart logon certificate it will be replicate to every servers ASAP. Maybe its possible with certutil command line to force the update if it isn't possible with a gpo. Thanks

You can delete the cache individually at *each* server (remember, not scalable), this would force a download of CRLs. But, remember that the command is not guaranteed to work if an application has a hook into the existing CRL in the cache. If the servers are running Vista SP1/Windows Server 2008 or higher, you can delete the memory cache by running: <!-- /* Font Definitions */ @font-face {font-family:Arial; panose-1:2 11 6 4 2 2 2 2 2 4; mso-font-charset:0; mso-generic-font-family:auto; mso-font-pitch:variable; mso-font-signature:-536859905 -1073711037 9 0 511 0;} @font-face {font-family:Arial; panose-1:2 11 6 4 2 2 2 2 2 4; mso-font-charset:0; mso-generic-font-family:auto; mso-font-pitch:variable; mso-font-signature:-536859905 -1073711037 9 0 511 0;} @font-face {font-family:SimSun; mso-font-alt:; mso-font-charset:134; mso-generic-font-family:auto; mso-font-pitch:variable; mso-font-signature:3 680460288 22 0 262145 0;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-name:"Normal\,Text\,t"; mso-style-unhide:no; mso-style-qformat:yes; mso-style-parent:""; margin-top:3.0pt; margin-right:0in; margin-bottom:3.0pt; margin-left:0in; line-height:14.0pt; mso-line-height-rule:exactly; mso-pagination:widow-orphan; font-size:10.0pt; font-family:Arial; mso-fareast-font-family:SimSun; mso-bidi-font-family:"Times New Roman"; mso-font-kerning:12.0pt;} .MsoChpDefault {mso-style-type:export-only; mso-default-props:yes; font-size:10.0pt; mso-ansi-font-size:10.0pt; mso-bidi-font-size:10.0pt;} @page WordSection1 {size:8.5in 11.0in; margin:1.0in 1.25in 1.0in 1.25in; mso-header-margin:.5in; mso-footer-margin:.5in; mso-paper-source:0;} div.WordSection1 {page:WordSection1;} --> certutil –setreg chain\ChainCacheResyncFiletime @now This must be run at every server. If you have Windows Server 2003 or earlier, this command is not part of certutil Brian