We are testing using Smartcard logon. Our server is Windows 2003 and the client computers are Windows XP and 7 machines. We raise AD, IIS and CA on server 2003. and all client computers are in the domain. We can successfully use the smartcard to logon. Now We revoked a certificate and created a CRL which contains the revoked certificate information. And have published the revoked certificates. And is successfull (when user tried to log on using token, then say that your certification has been revoked). We have changed the system time(in CA server). Then we unrevoked certificate. But user couldn’t log on. I tried it many time, when the system time changes manually appears CRL update problems. When a user certificate is valid user can not log on or vice versa, when a user certificate is not valid, he can log on. Everything is working properly till system time changing. I think when system time changes on the server the client computer can not update the CRL. And because appears such problems. I want it to work properly despite that, I changed TIME My questions: How to force on the client side to update CRL after changing system time? Can i manage this remotely form the server or from Group policy? Because it may be we have in our environment 100-200 clients and I must do it on every client side manually? It will be very difficult and annoying. http://support.microsoft.com/kb/281245 ther is title about Revocation cheking problems. And there have written that "Revocation check for the built in revocation providers cannot be turned off. If a custom installable revocation provider is installed, It must be turned on." What does it mean? If i use the third party certification authority i must turn on revocation cheking manually? And how can i do it? Where is it turning on? Thanks a lot!