Invalidate CRL cache

Question

Is there a way to immediately invalidate the CRL (Certificate Revocation List) cache causing clients to download the CRL again?

I would like to achieve it in C# without resorting to the command line 'certutil.exe'.

Even better would be to be able to set the invalidation time (like UtcNow + 12hours)

Answer 1

I already implement such solution, it update CRL cache on clients machine every x hours, depending of scheduler settings. You can read about CRL here: http://social.technet.microsoft.com/wiki/contents/articles/4954.certificate-status-and-revocation-checking.aspx

CRL cache is stored on client machine in special folders and consist of two files stored in Metadata and Content folders. These folders are placed in “C:\Documents and Settings{user name}\Application Data\Microsoft\CryptnetUrlCache” and the per-machine cache location is “%WINDIR%\System32\config\SystemProfile\Application Data\Microsoft\CryptnetUrlCache”. Cahce files are named in MD5 hash sum of CRL url. File in folder "Metadata" contains some constant data, date of last update, CRL url, CRL file size and other. And file in "Content" folder is CRL file itself and has the same name as file from "Metadata". I parse meta file, check if it invalid and load new CRL file by CRL url, place it to "Content" folder and rebuild metadata file. I use BouncyCastle library for these purposes. As scheduling library I use Quartz.Net.