Setting the Cached CRL Validity Period

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To reduce the amount of network bandwidth needed to retrieve CRLs, the CRL that is specified in the CRL attribute of the certificate is cached on the client system using the certificate. You can control the schedule by which the client retrieves updated CRLs by setting the CRL lifetime.

CRL publication and client use of the most recent CRL are independent. The client does not retrieve a new CRL from its distribution point unless the lifetime of a matching cached CRL has expired. Therefore, when you set the CRL validity period, be sure to balance the intended and actual CRL lifetime.

The only way to force a client to retrieve the latest CRL from the CRL distribution point before the CRL cache on the client has expired is by clearing the CRL cache — a task that is difficult to perform in many networks.