System Certificate Cache
Windows stores fetched certificate trust data in the Cryptnet URL cache under the system profile, including cached certificate revocation lists, OCSP responses, certificate trust lists, and downloaded intermediate CA certificates used by CryptoAPI chain building. These files speed up TLS handshakes, code-signature checks, Windows Update validation, and smart card or enterprise authentication, but stale or corrupt entries can cause trust validation to use outdated revocation or issuer data. Kudu clears the on-disk CryptnetUrlCache so Windows can retrieve fresh certificate metadata without affecting personal certificates, private keys, saved accounts, or passwords.
Why clean System Certificate Cache?
- An expired or corrupted cached CRL or OCSP response can make valid websites or signed installers suddenly report certificate errors until Windows fetches fresh revocation data
- Stale downloaded intermediate CA certificates can cause chain-building failures, which users see as browser trust warnings, VPN connection errors, or signed apps refusing to launch
- Outdated certificate trust list data can interfere with code-signature verification, leading to SmartScreen or installer signature checks failing on files that should validate
- Corruption in the Cryptnet URL cache can slow every trust check, showing up as long pauses when opening HTTPS sites, Windows Update scanning, or launching signed enterprise software
- After a CA rollover or revocation event, Windows may keep using cached issuer or status data, so cleaning forces retrieval of current trust information and clears repeated validation prompts
- Large numbers of obsolete cached certificate objects increase disk reads during chain evaluation, which can show up as intermittent delays in RDP, Wi-Fi 802.1X, or smart card logons
- Certificate databases can suffer SQLite-style page fragmentation over time, and a VACUUM-style rewrite compacts pages without deleting rows; clearing this cache similarly removes stale on-disk trust artifacts so Windows rebuilds a clean set
Cache paths Kudu targets
Windows
%WinDir%/System32/config/systemprofile/AppData/LocalLow/Microsoft/CryptnetUrlCache |
Common questions about System Certificate Cache
Download Kudu and reclaim your disk space.
Available on Windows, macOS, and Linux. No account required, no feature gates, no telemetry without consent. All cleaning targets are open source and community-auditable.