PrioritizeRevocationChecks

IT Asset Management (Cloud)

Command line | Registry

Tip: PrioritizeRevocationChecks is supported only on UNIX-like platforms. On Windows platforms, revocation checking behavior is determined by Group Policy. For further details, see the Microsoft help topic How Certificate Revocation Works.
On UNIX-like platforms, PrioritizeRevocationChecks determines the ordering of processes for checking revocation of PKI certificates, such as certificates normally issued as part of data transfers using the HTTPS protocol. (This preferences applies only when CheckServerCertificate and CheckCertificateRevocation are both true.) Two methods are supported for checking whether a certificate has been revoked:
  • Certificate Revocation Lists (CRL), which require the client device to download a file listing all certificates revoked by the relevant certification authority (CA).
  • Online Certificate Status Protocol (OCSP) stapling, which enables the certificate presenter to take on the resource cost of providing OCSP responses by appending ("stapling") a time-stamped OCSP response, signed by the CA, to the initial TLS handshake. This method eliminates the need for clients to directly contact the CA, enhancing both security and performance.

Omitting one of the values from the string turns off that method of checking. For example, a command line parameter -o PrioritizeRevocationChecks="OCSPSTAPLING" limits checking to OCSP stapling, and prevents download or checking of the CRL.

If OCSP stapling is to be used, you must manually add it in this preference.

Note: OCSP stapling might not be supported by all HTTPS servers. If the server does not support OCSP stapling, the agent's connection to the server will fail. You can test this using the curl command line tool curl --cert-status https://your server/

A null (or unrecognized) value is the same as not having the preference set in the registry. The default value is used in these cases.

Values

Values / range

A comma-separated list of two string literals, OCSPSTAPLING and CRL, in your chosen order.

Default value

CRL

Example values

OCSPSTAPLING

Command line

Tool

Inventory component (ndtrack), and upload component (ndupload)

Example

-o PrioritizeRevocationChecks="CRL"

Registry

Installed by

Code internals, or manual configuration

Computer preference

[Registry]\ManageSoft\Common or [Registry]\ManageSoft\<Component>\CurrentVersion where <Component> is the registry key for an individual component (Tracker, or Uploader)

IT Asset Management (Cloud)

Current