How large is the certificate OCSP and CRL cache in my Windows server?

certificate-authority ocsp ad-certificate-services crl

How can I see the size of the in-memory OCSP cache to a CRL cache in my Domain Controllers?

In other words, most Windows process that uses CryptoAPIs have an in-memory cache of every CRL and OCSP relevant for that application. This is important since there is a huge performance tradeoff between client memory usage and quantity of network IO requests.

In my case the CRL "client" is a server that validates WCF certificate authentication

Image of nTier PKI


Solution 1:

Monitoring the cache size is important when any PKI application needs to verify the CRL of several certificates. AD for example will consume 100MB of RAM for 50,000 OCSP users vs 4MB when using the CRL method of validating users' certificates. reference

There are two types of caches, disk and memory. Although this doesn't directly answer the question perhaps the size of the disk cache will help one infer the size of the memory cache

The CRL disk cache size is found by typing the command

 certutil -urlcache crl

...and multiplying by 80 bytes per entry

The OCSP disk cache size is found by typing

 certutil -urlcache ocsp

and multiply the entry count by 2 kilobytes (KBs).

Related

Can Windows log CryptoAPI CRL timouts?
What's the difference between "sudo su -" and "sudo -i"? [duplicate]
Restarting the httpd service in RHEL returns "Stopping httpd: [FAILED]" - How do I fix this?
AD strategy for users in multiple departments
Can you use your own drives on Dell PowerVault MD3000i?
Setup CNAME for subdomain issue
I had a power outage. Now MySQL's lock file won't go away. What do you suggest?
Jenkins + LDAP Plugin --- Any way to have a login backdoor?
How to soft-restart Windows Server 10 Technical Preview (renamed Insider Preview)?
How to create a VHD file from a folder?
How to migrate windows users and retain passwords?
Unexpected anonymous login in Windows security logs