CheckCertificateRevocation

IT Asset Management (Cloud)

Command line | Registry

When transferring data to or from an inventory beacon using the HTTPS protocol, a web server certificate is applied to the data being transferred.

When receiving web server certificates from servers, the appropriate client-side component checks the CA (certification authority) server to ensure that the certificates are not on the CRL (certificate revocation list). If a component cannot check the CRL (for example, the CA server is firewalled and cannot be contacted), the system may time out on the CRL download, and consequently fail the revocation check. To avoid this, you can use the CheckCertificateRevocation preference to prevent components from performing the CRL check.
Tip: Turning off CRL checking should be only a temporary measure while you fix the problem that prevents successful checking. It is poor security practice to omit the check for certificate currency, since without this check your system may continue to trust a certificate that has been compromised as part of a wider attack.

You can set this as a common registry entry, so that the same behavior occurs across all components, and you can override the common behavior by setting an overriding registry entry for any individual component if required. By default, this preference is set so that all components check the CRL.

Values

Values / range

Boolean (True or False)

Default value

True

Example values

False

Command line

Tool

ndtrack, ndupload

Example

-o CheckCertificateRevocation=”False”

Registry

Installed by

Manual configuration

Computer preference

[Registry]\ManageSoft\Common or [Registry]\ManageSoft\<Component>\CurrentVersion where <Component> is the registry key for an individual component (Tracker, or Uploader).
Note: In some circumstances only the specific path for a component works.

IT Asset Management (Cloud)

Current