Thanks for your suggestion. Will consider this.

-certificate switch did the trick:
https://winscp.net/eng/docs/scriptcommand_open#certificate.

Martin, I am using WinSCP for FTPS against a mainframe and as per Mainframe FTPS using WinSCP (GUI and Command-line) post /ini=nul helped with disabling the directory caching feature. All works good when my machine has internet access but when I run on some servers behind a firewall, WinSCP can't check the CRL and gives me "Continue connecting and store the certificate?" prompt. I can say "Yes" to the prompt and it works fine. Given that I am using /ini=nul, it can't save the cert info, so I get prompted every time and can't automate my scripts.

So looks like /ini=winscp.ini (FTP SSL – Accepting Certificate via Command Line) solution won't work for me as I am disabling caching with /ini=nul. My expectation about CRL is similar to this "Warning: The server's certificate is not known." when connecting to a valid server (5.9.2).

I have done some research and it seems that CRL checking is an application level responsibility, so this is why I suppose WinSCP is doing it and this behavior can't be altered via any server level setting. Some people talk about IE setting, but I can't see that impacting how WinSCP checks for CRL.

In my case, if I am able to disable CRL checking and keep using /ini=nul, that would be perfect, but as this might not be possible, is there any way to use /ini=winscp.ini and then disable directory caching and keep the certificate caching part?

Thanks