View and clear the certificate enrollment policy cache for the Certificate Enrollment Policy Web Service (CEP).

After a certificate enrollment policy is configured and used by a subscriber, the results are cached locally (Enrollment Policy Cache).

If changes are now made to the infrastructure, for example by publishing or removing a new certificate template on a certification authority accessible via Certificate Enrollment Web Service (CES), these changes are not immediately visible to subscribers due to the cache.

For this reason, it may be helpful to view or clear the cache.

The Certificate Enrollment Web Services (Certificate Enrollment Policy Web Service, CEP, and Certificate Enrollment Web Service, CES) enable the automatic request and renewal of certificates from a certification authority via a Web-based interface. This eliminates the need to contact the certification authority directly via Remote Procedure Call (RPC). For a more detailed description, see the article "Certificate request basics via Certificate Enrollment Web Services (CEP, CES)„.

When is the cache created?

Caching occurs at the moment when the CEP is first contacted for information

The following command line command can be used to view the Enrollment Policy Cache for the computer account:

certutil -policyserver * -policycache

The following command line command can be used to view the enrollment policy cache for the logged in user:

certutil -user -policyserver * -policycache 

Where is the cache stored?

The enrollment policy cache is stored in a local file:

  • For the computer account under %ProgramData%\Microsoft\Windows\X509Enrollment.
  • For the currently logged in user under %USERPROFILE%\AppData\Local\Microsoft\Windows\X509Enrollment.

Deleting the files located in the folders causes a deletion of the cache.

How long is the cache valid?

The files are formatted in XML and can be viewed with a text editor. In the XML structure there is an element called nextUpdateHours which specifies the validity period of the cache entry.

Clearing the Enrollment Policy Cache

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem and is available under a free license. It can downloaded via GitHub and can be used free of charge.

It is sufficient to delete the Enrollment Policy Cache files. Alternatively, a deletion can be done via command line.

The following command line command can be used to clear the enrollment policy cache for the computer account:

certutil -f -policyserver * -policycache delete

The following command line command can be used to clear the enrollment policy cache for the logged in user:

certutil -f -user -policyserver * -policycache delete

The Certificate Enrollment Policy (CEP) service also caches the information. So if one has made a change to a certificate template, republished or removed a certificate template, the CEP will initially continue to deliver the outdated previous information. An update of the server-side cache can be forced by restarting the WSEnrollmentPolicyWebService application pool or the Web Server service.

By the way, if the cache does not contain any entries and you execute the command, it fails with the following error message:

CertUtil: -PolicyCache command FAILED: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
CertUtil: The parameter is incorrect.

Related links:

One thought on “Den Zwischenspeicher für Zertifikatregistrierungsrichtlinien (Enrollment Policy Cache) für den Certificate Enrollment Policy Web Service (CEP) einsehen und löschen”

Comments are closed.

en_USEnglish