Information about CRL caching settings on IIS 10.0 seems incorrect

[KyryloAntoshyn]

Hello, community members!

I am writing you about the information provided on this page: SSLBinding Class. My goal: setup IIS in a way that it updates cached CRL after configurable amount of time.

According to the above-mentioned article we should:

1. Set CertCheckMode to 4.
2. Set RevocationFreshnessTime to 10, for example (10 seconds).

We do all these things locally and it doesn't work, IIS doesn't update its cache after 10 seconds. My question: how to properly use RevocationFreshnessTime setting to make it work?

More technically speaking we do:

1. Delete existing SSL binding for my website: netsh http delete sslcert ipport=0.0.0.0:3010.
2. Add binding which tells IIS to download CRL each 10 seconds and not to cache it: netsh http add sslcert ipport=0.0.0.0:3010 certhash=SOME_VALUE appid={SOME_VALUE} certstorename=My verifyclientcertrevocation=enable revocationfreshnesstime=10 urlretrievaltimeout=30000. Parameters mean that we enable CRL checking, refresh CRL each 10 seconds and set HTTP timeout for CRL download to 30 seconds (30000 milliseconds).
3. Verify that the information has been updated.
   
4. Restart IIS or reboot the machine: iisreset.
5. Clear CRL cache: certutil -urlcache crl delete.
6. Publish new CRL and verify that it doesn't contain our certificate.
7. Send not revoked certificate: 403 status has been returned by IIS. This means that IIS uses cached CRL and above-mentioned settings for IIS doesn't work.

The issue is described in more detail here: Disabling Certificate Revocation List (CRL) Caching on IIS 10.0.

Tagging authors of this file: @shirhatti @nschonni @mairaw @dereklh7.