Certificate Enrollment Object Revocation Options

Specify whether to check the revocation status of a certificate by choosing and configuring the method. Revocation checking is off by default, neither method (CRL or OCSP) is checked.

Cisco Defense Orchestrator Navigation Path

Objects > Object Management, then from the navigation pane choose PKI > PKI Enrollment. Press (+) Add PKI Enrollment to open the Add PKI Enrollment dialog, and select the Revocation tab.

Fields

• Enable Certificate Revocation Lists—Check to enable CRL checking.

  • Use CRL distribution point from the certificate—Check to obtain the revocation lists ditribution URL from the certificate.

  • Use static URL configured—Check this to add a static, pre-defined distribution URL for revocation lists. Then add the URLs.

    CRL Server URLs—The URL of the LDAP server from which the CRL can be downloaded. This URL must start with ldap://, and include a port number in the URL.

• Enable Online Certificate Status Protocol (OCSP)—Check to enable OCSP checking.

  OCSP Server URL—The URL of the OCSP server checking for revocation if you require OCSP checks. This URL must start with http://.

• Consider the certificate valid if revocation information can not be reached—Checked by default. Uncheck if you do not want to allow this.

  Note	The Consider the certificate valid if revocation information can not be reached check box setting is applicable only for FTD 6.4 and lower versions. For FTD 6.5 and later versions, this setting is ignored and bypass will not work.