Revocation Pane

The options are:

Search order to use for revocation

Determines which sources are used to check for certificate revocation and the order in which these checks occur.

NOTE:If you select "None" and no other options are selected, no revocation checking occurs. If you select "None" along with other options, PKI Services Manager attempts to determine the revocation status using all selected options higher in the search order list. If the certificate revocation status is still unknown after these checks, authentication is allowed.

CRL servers

Lists servers from which PKI Services Manager can retrieve CRLs A digitally signed list of certificates that have been revoked by the Certification Authority. Certificates identified in a CRL are no longer valid. . To add a server to the list, select "CRL servers" under Search order to use for revocation, and click Add. You can specify either an HTTP or an LDAP server.

OCSP responder URIs

Lists OCSP A protocol (using the HTTP transport) that can be used as an alternative to CRL checking to confirm whether a certificate is valid. An OCSP responder responds to certificate status requests with one of three digitally signed responses: "good", "revoked", and "unknown". Using OCSP removes the need for servers and/or clients to retrieve and sort through large CRLs. responders to use for checking the certificate revocation status. To add a URI, select "OCSP responders" under Search order to use for revocation, and click Add.

OCSP certificates

Lists certificates that can be used to sign the OCSP response. This is needed only if the OCSP response does not include the signer's certificate in its response.


Opens the Revocation Settings dialog box, which you can use to configure policy OIDs and settings that affect how strictly revocation checking is enforced.