diff --git a/src/XrdCrypto/XrdCryptosslX509Crl.cc b/src/XrdCrypto/XrdCryptosslX509Crl.cc
index 609e14f234c..89c5fc1a027 100644
--- a/src/XrdCrypto/XrdCryptosslX509Crl.cc
+++ b/src/XrdCrypto/XrdCryptosslX509Crl.cc
@@ -350,7 +350,6 @@ int XrdCryptosslX509Crl::LoadCache()
    // Load relevant info into the cache
    // Return 0 if ok, -1 in case of error
    EPNAME("LoadCache");
-   XrdSutCacheRef pfeRef;
 
    // The CRL must exists
    if (!crl) {
@@ -381,12 +380,6 @@ int XrdCryptosslX509Crl::LoadCache()
       return 0;
    }
 
-   // Init cache
-   if (cache.Init(nrevoked) != 0) {
-      DEBUG("problems init cache for CRL info");
-      return -1;
-   }
-
    // Get serial numbers of revoked certificates
    char *tagser = 0;
    int i = 0;
@@ -404,7 +397,8 @@ int XrdCryptosslX509Crl::LoadCache()
          TRACE(Dump, "certificate with serial number: "<<tagser<<
                      "  has been revoked");
          // Add to the cache
-         XrdSutPFEntry *cent = cache.Add(pfeRef, (const char *)tagser);
+         bool rdlock = false;
+         XrdSutCacheEntry *cent = cache.Get((const char *)tagser, rdlock);
          if (!cent) {
             DEBUG("problems updating the cache");
             return -1;
@@ -413,13 +407,11 @@ int XrdCryptosslX509Crl::LoadCache()
          cent->mtime = XrdCryptosslASN1toUTC(X509_REVOKED_get0_revocationDate(rev));
          // Release the string for the serial number
          OPENSSL_free(tagser);
+         // Unlock the entry
+         cent->rwmtx.UnLock();
       }
    }
 
-   // rehash the cache
-   pfeRef.UnLock(); // Prevent lock inversion (though it doesn't matter here)
-   cache.Rehash(1);
-
    return 0;
 }
 
@@ -550,7 +542,6 @@ bool XrdCryptosslX509Crl::IsRevoked(int serialnumber, int when)
    // Check if certificate with serialnumber is in the
    // list of revocated certificates
    EPNAME("IsRevoked");
-   XrdSutCacheRef pfeRef;
 
    // Reference time
    int now = (when > 0) ? when : time(0);
@@ -571,13 +562,16 @@ bool XrdCryptosslX509Crl::IsRevoked(int serialnumber, int when)
    sprintf(tagser,"%x",serialnumber);
 
    // Look into the cache
-   XrdSutPFEntry *cent = cache.Get(pfeRef, (const char *)tagser);
+   bool rdlock = false;
+   XrdSutCacheEntry *cent = cache.Get((const char *)tagser, rdlock);
    if (cent) {
       // Check the revocation time
       if (now > cent->mtime) {
          DEBUG("certificate "<<tagser<<" has been revoked");
+         cent->rwmtx.UnLock();
          return 1;
       }
+      cent->rwmtx.UnLock();
    }
 
    // Certificate not revoked
@@ -590,7 +584,6 @@ bool XrdCryptosslX509Crl::IsRevoked(const char *sernum, int when)
    // Check if certificate with 'sernum' is in the
    // list of revocated certificates
    EPNAME("IsRevoked");
-   XrdSutCacheRef pfeRef;
 
    // Reference time
    int now = (when > 0) ? when : time(0);
@@ -607,13 +600,16 @@ bool XrdCryptosslX509Crl::IsRevoked(const char *sernum, int when)
    }
 
    // Look into the cache
-   XrdSutPFEntry *cent = cache.Get(pfeRef, (const char *)sernum);
+   bool rdlock = false;
+   XrdSutCacheEntry *cent = cache.Get((const char *)sernum, rdlock);
    if (cent) {
       // Check the revocation time
       if (now > cent->mtime) {
          DEBUG("certificate "<<sernum<<" has been revoked");
+         cent->rwmtx.UnLock();
          return 1;
       }
+      cent->rwmtx.UnLock();
    }
 
    // Certificate not revoked
diff --git a/src/XrdCrypto/XrdCryptosslX509Crl.hh b/src/XrdCrypto/XrdCryptosslX509Crl.hh
index 0b282437407..6537d9dd2f9 100644
--- a/src/XrdCrypto/XrdCryptosslX509Crl.hh
+++ b/src/XrdCrypto/XrdCryptosslX509Crl.hh
@@ -45,7 +45,6 @@
 //
 // ---------------------------------------------------------------------------//
 
-class XrdSutCache;
 class XrdCryptoX509;
 
 class XrdCryptosslX509Crl : public XrdCryptoX509Crl {