Configuration Level: Global
Certificate revocation checking is part of the certificate validation process. In order to be considered valid, a certificate must not be revoked. The method supports On-Line Certificate Status Protocol (OCSP) and Certificate Revocation List (CRL) checking. The type of revocation checking performed is configured on a per trusted root container basis.
If a trusted root container is not listed in the OCSP or CRL list, revocation checking is not performed for certificates that chain to the trusted root container. If a trusted root container is listed in both the OCSP and the CRL list, both types of revocation checks are performed.
Certificates that chain to trusted root certificates in containers in this list use OCSP checking. An OCSP responder URL can be specified for each container in the list. If specified, the responder URL overrides OCSP information in a user's certificate.
An OCSP response is signed using the responder's certificate and the responder's certificate must be trusted in order for the response to be considered valid. Place the OCSP responder's certificate in the trusted root container to ensure that the certificate is trusted.
Certificates that chain to trusted root certificates in containers in this list use CRL checking. The CRL distribution point information in the user certificate is used to retrieve the CRL. CRLs are cached in memory on the server after retrieval. This improves the performance of future logins.
The Grace Period setting specifies the number of days after a CRL has expired to continue to treat it as valid. This allows revocation checking to continue, if a new CRL cannot be retrieved from the CRL Distribution Point. If a Grace Period is not specified and the CRL expiration date has passed, all certificates are considered invalid until a new CRL can be retrieved from the distribution point.