I have a web service running under IIS 7 that requires an X509 client certificate. I know that the server that it rus on needs access to DigiCert.com in order to be able to get the CRL (Certificate Revocation List).

There is a need to change our proxy so I am attempting to investigate the impact of doing so. I have removed the global proxy settings using the command netsh winhttp proxy refesh, and also deleted the CRL cache using the command certutil -URLcache CRL delete.

However, after doing this, all calls to the web service still succeed. This suggests to me that I am missing something here.

So; If the CRL cache is cleared and the server has no way of refreshing the CRL, why do web service requets not return http 403?.

I have been unable to find adequate information from googling nor from my colleagues.

The reason I want it to fail is that I will not be confident that the new proxy settings work until I can see it broken first, if that makes sense.

I would also like to be able to force the CRL to be refeshed in order to ensure that the new proxy settings work