Local Service Certificate Cache
Windows services running under the Local Service account use the Cryptnet URL cache to store downloaded certificate trust data such as CRLs, OCSP responses, intermediate CA certificates, and certificate trust list metadata under the LocalService profile. This disk cache speeds up repeated revocation and chain-building checks for background services, but stale or corrupted entries can leave services relying on expired revocation data or bad certificate retrieval results. Kudu removes the cached Cryptnet URL cache files for the Local Service account so Windows can fetch fresh certificate validation data without affecting user certificates, saved passwords, or account settings.
Why clean Local Service Certificate Cache?
- Expired or stale CRL and OCSP response files cause certificate revocation checks to fail, which users notice as Windows services refusing secure connections or reporting trust errors
- Corrupted cached intermediate CA certificates break certificate chain building, leading to service update failures, TLS handshake errors, or event log entries about an untrusted certificate chain
- Cached negative retrieval results can persist after a CA or revocation endpoint is back online, so a service keeps failing certificate validation even though the network problem is gone
- Outdated trust list metadata in the Local Service Cryptnet cache can make background services reject newly reissued certificates until the cache is rebuilt from current sources
- A bloated cache with many old revocation objects increases certificate validation work for Local Service processes, showing up as slow service startup, delayed HTTPS requests, or long pauses before a task begins
- After proxy, firewall, or network path changes, the Local Service account may keep using bad cached certificate retrieval data, causing repeated connection failures that disappear only after the cache is cleared
Cache paths Kudu targets
Windows
%WinDir%/ServiceProfiles/LocalService/AppData/LocalLow/Microsoft/CryptnetUrlCache |
Common questions about Local Service Certificate Cache
Download Kudu and reclaim your disk space.
Available on Windows, macOS, and Linux. No account required, no feature gates, no telemetry without consent. All cleaning targets are open source and community-auditable.