Configuration Level: Global
Certificate revocation checking is part of the certificate validation process. To be considered valid, a certificate must not be revoked. The method supports On-Line Certificate Status Protocol (OCSP) and Certificate Revocation List (CRL) checking. The type of revocation checking performed is configured on a per trusted root container basis.
Trusted root containers are automatically added to the OCSP and CRL certificate revocation checking lists. Modify the lists as necessary and enable the appropriate revocation checking option.
If a trusted root container is not listed in the OCSP or CRL list, revocation checking is not performed for certificates that chain to the trusted root container. If a trusted root container is listed in both the OCSP and the CRL list, both types of revocation checks are performed.
Certificates that chain to trusted root certificates in containers in this list use OCSP checking. An OCSP responder URL can be specified for each container in the list. If specified, the responder URL overrides OCSP information in a user's certificate.
An OCSP response is signed by using the responder's certificate, and the responder's certificate must be trusted for the response to be considered valid. Place the OCSP responder's certificate in the trusted root container to ensure that the certificate is trusted.
Certificates that chain to trusted root certificates in containers in this list use CRL checking. The CRL Distribution Point information in the user certificate is used to retrieve the CRL. CRLs are cached in memory on the server after retrieval. This improves the performance of future logins.
The Grace Period setting specifies the number of days that are treated as valid, after a CRL has expired. This allows revocation checking to continue, if a new CRL cannot be retrieved from the CRL Distribution Point. If a grace period is not specified and the CRL expiration date has passed, all certificates are considered invalid until a new CRL is retrieved from the Distribution Point.