CheckCertificateRevocation

IT Asset Management (Cloud)

Command line | Registry

When transferring data to or from an inventory beacon using the HTTPS protocol, a web server certificate is applied to the data being transferred.

When receiving web server certificates from servers, the appropriate client-side component checks the CA (certification authority) server to ensure that the certificates are not on the CRL (certificate revocation list). If a component cannot check the CRL (for example, the CA server is firewalled and cannot be contacted), the system may time out on the CRL download, and consequently fail the revocation check. To avoid this, you can use the CheckCertificateRevocation preference to prevent components from performing the CRL check.

Tip: Turning off CRL checking should be only a temporary measure while you fix the problem that prevents successful checking. It is poor security practice to omit the check for certificate currency, since without this check your system may continue to trust a certificate that has been compromised as part of a wider attack.

This preference also applies to the certificate revocation check for self-extracting EXE packages. Setting this preference to False will disable the revocation check for these packages, which can help prevent download failures in environments where access to revocation URLs is restricted.

You can set this as a common registry entry, so that the same behavior occurs across all components, and you can override the common behavior by setting an overriding registry entry for any individual component if required. By default, this preference is set so that all components check the CRL.

Values

Values / range	Boolean (`True` or `False`)
Default value	`True` Enables revocation checks for both HTTPS connections and self-extracting EXE packages.
Example values	`False` Disables revocation checks for both HTTPS connections and self-extracting EXE packages.

Command line

Tool	ndtrack, ndupload
Example	`-o CheckCertificateRevocation=”False”`

Registry

Installed by	Manual configuration
Computer preference	`[Registry]\ManageSoft\Common` or `[Registry]\ManageSoft\<Component>\CurrentVersion` where `<Component>` is the registry key for an individual component (`Tracker`, or `Uploader`). Note: In some circumstances only the specific path for a component works.

IT Asset Management (Cloud)

Current