How large is the certificate OCSP and CRL cache in my Windows server?

How can I see the size of the in-memory OCSP cache to a CRL cache in my Domain Controllers?

In other words, most Windows process that uses CryptoAPIs have an in-memory cache of every CRL and OCSP relevant for that application. This is important since there is a huge performance tradeoff between client memory usage and quantity of network IO requests.

In my case the CRL "client" is a server that validates WCF certificate authentication

Image of nTier PKI


Solution 1:

Monitoring the cache size is important when any PKI application needs to verify the CRL of several certificates. AD for example will consume 100MB of RAM for 50,000 OCSP users vs 4MB when using the CRL method of validating users' certificates. reference

There are two types of caches, disk and memory. Although this doesn't directly answer the question perhaps the size of the disk cache will help one infer the size of the memory cache

The CRL disk cache size is found by typing the command

 certutil -urlcache crl

...and multiplying by 80 bytes per entry

The OCSP disk cache size is found by typing

 certutil -urlcache ocsp

and multiply the entry count by 2 kilobytes (KBs).