Certificate validation must be enabled and revocation checking properly configured. If a CRL Grace Period is used, the grace period must be limited to a few days. Do not use the CRL Grace Period as a mechanism to work around a dysfunctional CRL infrastructure.