Certificate Enrollment Object Revocation Options

Specify whether to check the revocation status of a certificate by choosing and configuring the method. Revocation checking is off by default, neither method (CRL or OCSP) is checked.

Secure Firewall Management Center Navigation Path

Objects > Object Management, then from the navigation pane choose PKI > Cert Enrollment. Press (+) Add Cert Enrollment to open the Add Cert Enrollment dialog, and select the Revocation tab.

Fields

• Enable Certificate Revocation Lists—Check to enable CRL checking.

  • Use CRL distribution point from the certificate—Check to obtain the revocation lists distribution URL from the certificate.

  • Use static URL configured—Check this to add a static, pre-defined distribution URL for revocation lists. Then add the URLs.

    CRL Server URLs—The URL of the LDAP server from which the CRL can be downloaded.

    URLs must start with http://. Include a port number in the URL. Enclose IPv6 addresses in square brackets, for example: http://[0:0:0:0:0.18:0a01:7c16].

• Enable Online Certificate Status Protocol (OCSP)—Check to enable OCSP checking.

  OCSP Server URL—The URL of the OCSP server checking for revocation if you require OCSP checks.

  URLs must start with http://. Enclose IPv6 addresses in square brackets, for example: http://[0:0:0:0:0.18:0a01:7c16].

• Consider the certificate valid if revocation information cannot be reached—Checked by default. Uncheck if you do not want to allow this.