After a certificate enrollment policy is configured and used by a subscriber, the results are cached locally (Enrollment Policy Cache).
If changes are now made to the infrastructure, for example by publishing or removing a new certificate template on a certification authority accessible via Certificate Enrollment Web Service (CES), these changes are not immediately visible to subscribers due to the cache.
For this reason, it may be helpful to view or clear the cache.
The Certificate Enrollment Web Services (Certificate Enrollment Policy Web Service, CEP, and Certificate Enrollment Web Service, CES) enable the automatic request and renewal of certificates from a certification authority via a Web-based interface. This eliminates the need to contact the certification authority directly via Remote Procedure Call (RPC). For a more detailed description, see the article "Certificate request basics via Certificate Enrollment Web Services (CEP, CES)„.
When is the cache created?
Caching occurs at the moment when the CEP is first contacted for information
The following command line command can be used to view the Enrollment Policy Cache for the computer account:
certutil -policyserver * -policycache
The following command line command can be used to view the enrollment policy cache for the logged in user:
certutil -user -policyserver * -policycache
Where is the cache stored?
The enrollment policy cache is stored in a local file:
- For the computer account under %ProgramData%\Microsoft\Windows\X509Enrollment.
- For the currently logged in user under %USERPROFILE%\AppData\Local\Microsoft\Windows\X509Enrollment.
Deleting the files located in the folders causes a deletion of the cache.
How long is the cache valid?
The files are formatted in XML and can be viewed with a text editor. In the XML structure there is an element called nextUpdateHours which specifies the validity period of the cache entry.
Clearing the Enrollment Policy Cache
It is sufficient to delete the Enrollment Policy Cache files. Alternatively, a deletion can be done via command line.
The following command line command can be used to clear the enrollment policy cache for the computer account:
certutil -f -policyserver * -policycache delete
The following command line command can be used to clear the enrollment policy cache for the logged in user:
certutil -f -user -policyserver * -policycache delete
The Certificate Enrollment Policy (CEP) service also caches the information. So if one has made a change to a certificate template, republished or removed a certificate template, the CEP will initially continue to deliver the outdated previous information. An update of the server-side cache can be forced by restarting the WSEnrollmentPolicyWebService application pool or the Web Server service.
By the way, if the cache does not contain any entries and you execute the command, it fails with the following error message:
CertUtil: -PolicyCache command FAILED: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
CertUtil: The parameter is incorrect.
English 
Deutsch
One thought on “Den Zwischenspeicher für Zertifikatregistrierungsrichtlinien (Enrollment Policy Cache) für den Certificate Enrollment Policy Web Service (CEP) einsehen und löschen”
Comments are closed.