revocation-check (Security PKI)

Only certificate revocation list (CRL) is supported. A CRL is a time-stamped list identifying revoked certificates, which is signed by a CA and made available to the participating IPsec peers on a regular periodic basis.

You should also specify the location (URL) to retrieve the CRL (HTTP or LDAP). By default, the URL is empty and uses CDP information embedded in the CA certificate.

For Example: set security pki ca-profile ms-ca revocation-check crl url http://labsrv1.labdomain.com/CertEnroll/LABDOMAIN.crl

The URL can include the server-name or port information such as, ldap://<ip-or-fqdn>:<port>). If the port number is missing, HTTP uses port 80, or LDAP uses port 443. Currently, you can configure only one URL. We do not support for configuring backup URL.

By default, crl is enabled. Local certificates are being validated against certificate revocation list (CRL) even when CRL check is disabled. This can be stopped by disabling the CRL check through the Public Key Infrastructure (PKI) configuration. When CRL check is disabled, PKI will not validate local certificate against CRL.

Disable verification of status of digital certificates.

Configure Online Certificate Status Protocol (OCSP) to check the revocation status of a certificate.

Specify the CRL as the method to check the revocation status of a certificate. CRL is the default method.

When you enable this option, you choose CRL as a method to verify the revocation status of digital certificates.

Specify the Online Certificate Status Protocol (OCSP) as the method to check the revocation status of a certificate. CRL is the default method.

When you enable this option, you choose OCSP as a method to verify the revocation status of digital certificates.