CRL Troubleshooting for Smart Card Logon

Verifying the revocation check process

Step 1 — Check for a CDP in the certificate

Open the certificate and look for a CRL Distribution Point (CDP) extension. If no CDP is present and CRL checking is not disabled, smart card logon will fail.

Step 2 — Test connectivity to the CDP from the client

certutil -urlfetch -verify test.cer

Step 3 — Repeat the test as the SYSTEM account

The system proxy differs from user proxies. Use PsExec to run as SYSTEM:

psexec -s certutil -urlfetch -verify test.cer

Step 4 — Repeat the test on the domain controller, as SYSTEM

psexec -s certutil -urlfetch -verify test.cer

certutil -urlfetch working CRL check — Working CRL check — revocation status OK

certutil -urlfetch no network error — No network — error 0x800708CA

certutil -urlfetch timeout proxy error — Timeout — error 0x80072EE2 (likely proxy issue)

Solving CRL network issues

If the certificate has no CDP, CRL checks must be disabled on both the client and the domain controller (see below).

Other errors are typically related to network or proxy configuration. The system component performing authentication uses its own proxy settings, separate from user accounts.

Important: System proxy settings do not support WPAD scripts or web proxy autoconfiguration via DNS/DHCP discovery.

View current system proxy settings

Windows version	Command
Windows XP / 2003	`proxycfg`
Windows Vista and later	`netsh winhttp show proxy`

Set or clear the system proxy

Action	XP / 2003	Vista and later
Set a static proxy	`proxycfg -p <proxy>`	`netsh winhttp set proxy <proxy>`
Clear proxy (direct)	`proxycfg -d`	`netsh winhttp reset proxy`

netsh winhttp show proxy output — Checking system proxy with netsh winhttp show proxy

Clear the CRL cache for testing

Step 1 — Disconnect from the network

Unplug the network cable or disable Wi-Fi to stop active revocation processes.

Step 2 — Clear the WinHttp browser cache (HTTP/HTTPS CRLs)

Open Internet Explorer → Internet Options → Browsing History → Delete.

Internet Explorer delete browsing history — Clearing WinHttp cache via Internet Options

Step 3 — Clear the CryptoAPI disk cache

For the current user:

certutil -urlcache * delete

For the SYSTEM account (requires elevated prompt):

psexec -s certutil -urlcache * delete

To verify cache contents:

psexec -s certutil -urlcache

certutil -urlcache output — Checking and clearing the CryptoAPI URL cache

Step 4 — Clear the chain cache for all processes

certutil -setreg chain\ChainCacheResyncFiletime @now

certutil -setreg chain cache — Resetting the chain cache

Disable CRL checks for smart card logon

Warning: Disabling CRL checking may constitute a security vulnerability. Only apply this as a last resort or in isolated environments.

On the domain controller

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kdc]
"UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
"UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors"=dword:00000001
"CRLTimeoutPeriod"=dword:00000001

On the client computer

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
"UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors"=dword:00000001
"CRLTimeoutPeriod"=dword:00000001