PrioritizeRevocationChecks
IT Asset Management
(Cloud)
Command line | Registry
Tip:
On
UNIX-like platforms, PrioritizeRevocationChecks
is supported only on UNIX-like
platforms. On Windows platforms, revocation checking behavior is determined by Group Policy.
For further details, see https://technet.microsoft.com/en-us/library/ee619754%28v=ws.10%29.aspx.PrioritizeRevocationChecks
determines
the ordering of processes for checking revocation of PKI certificates, such as certificates
normally issued as part of data transfers using the HTTPS protocol. (This preferences applies
only when CheckServerCertificate
and
CheckCertificateRevocation
are both true.) Two methods are supported for checking whether a certificate has been
revoked:- Certificate Revocation Lists (CRL), which require the client device to download a file listing all certificates revoked by the relevant Certification Authority
- Online Certificate Status Protocol (OCSP), where the client device receives a response specific to the single certificate being checked.
Omitting one of the values from the string turns off that method of checking. For example, a
command line parameter
-o PrioritizeRevocationChecks="OCSP"
limits checking
to OCSP, and prevents download or checking of the CRL.Tip: Beware of turning off a
type of checking which may be uniquely specified in the server certificate (or any
intermediate certificate up the chain). For example, if a certificate specifies a URI
only for CRL checking, and you use this preference as
-o
PrioritizeRevocationChecks="OCSP"
, then every certificate check must by
definition fail because of these contradictory settings. Recommended general practice is to
use the default value, which uses the most efficient check first but fails over to the older
technology if OCSP checking is not available for a certificate. Vary the setting only if
your enterprise has an internal certificate authority and you are sure of the revocation
settings for your internal certificates.A null (or unrecognized) value is the same as not having the preference set in the registry: the default value is used in these cases.
Assuming that preferences allow revocation checking, the processing order for revocation
checking is:
- The CRL cache is checked. (This is always first, regardless of the setting of
PrioritizeRevocationChecks
.) - If the value of
PrioritizeRevocationChecks
includes OCSP (whether first or second), the OCSP cache is checked. - When neither cache provides an authoritative result, networked resources are accessed in
the order specified by
PrioritizeRevocationChecks
. - When neither of the networked revocation checks provides an authoritative result, the check results in a hard failure, and data transfer between the client component and the inventory beacon cannot proceed using the HTTPS protocol.
CheckServerCertificate
=True
,CheckCertificateRevocation
=True
,PrioritizeRevocationChecks=OCSP,CRL
. OCSP checking is on and given top priority.- An HTTPS transfer is attempted, and for networking reasons the OCSP server is
temporarily unavailable. Accordingly, fail-over occurs, so that the CRL is downloaded for
the revocation check. Since it includes a
nextUpdate
setting a week in advance, the CRL is cached. - Later (but within the week), another HTTPS transfer is attempted. Because there is a
valid CRL in the cache, this is checked first (and provides the revocation result). A
networked OCSP revocation check does not occur (despite the preference in
PrioritizeRevocationChecks
) until after the cached CRL expires.
Values
Values / range |
A comma-separated list of two string literals, OCSP and CRL, in your chosen order. |
Default value |
|
Example values |
|
Command line
Tool |
Inventory component (ndtrack), and upload component (ndupload) |
Example |
|
Registry
Installed by |
Code internals, or manual configuration |
Computer preference |
[Registry]\ManageSoft\Common or
[Registry]\ManageSoft\<Component>\CurrentVersion
where <Component> is the registry key for an
individual component (Tracker , or Uploader ) |
IT Asset Management (Cloud)
Current