5.3 Configuring Certificate Revocation Checking

Trusted root containers are automatically added to the OCSP and CRL certificate revocation checking lists. Modify the lists as necessary and enable the proper revocation checking option.

In Figure 5-5, both OCSP and CRL revocation checking are enabled. OCSP revocation checking is performed for certificates chaining to the "abc_TrustedRoots" container. CRL checking is performed for certificates chaining to the "xyz_TrustedRoots" container.

When using OCSP validation, the OCSP response is signed by the responder's certificate. In order for the response to be considered valid, the responder's certificate must be trusted. Place the OCSP responder's trusted root certificate in the trusted root container to identify it as trusted.

Figure 5-5 Certificate Validation and Search Containers