Revocation Pane

Getting there

The options are:

Search order to use for revocation

Determines which sources are used to check for certificate revocation and the order in which these checks occur.

Note: If you select "None" and no other options are selected, no revocation checking occurs. If you select "None" along with other options, PKI Services Manager attempts to determine the revocation status using all selected options higher in the search order list. If the certificate revocation status is still unknown after these checks, authentication is allowed.

CRL servers

Lists servers from which PKI Services Manager can retrieve CRLs. To add a server to the list, select "CRL servers" under Search order to use for revocation, and click Add. You can specify either an HTTP or an LDAP server.

OCSP responder URIs

Lists OCSP responders to use for checking the certificate revocation status. To add a URI, select "OCSP responders" under Search order to use for revocation, and click Add.

OCSP certificates

Lists certificates that can be used to sign the OCSP response. This is needed only if the OCSP response does not include the signer's certificate in its response.


Opens the Revocation Settings dialog box, which you can use to configure policy OIDs and settings that affect how strictly revocation checking is enforced.


  • Changes made on this pane are saved to the PKI Services Manager configuration file (pki_config).
  • Changes made on this pane do not take effect until you reload the settings (Server > Reload) or restart the server.