PrioritizeRevocationChecks

IT Asset Management (Cloud)

Command line | Registry

Tip: PrioritizeRevocationChecks is supported only on UNIX-like platforms. On Windows platforms, revocation checking behavior is determined by Group Policy. For further details, see https://technet.microsoft.com/en-us/library/ee619754%28v=ws.10%29.aspx.
On UNIX-like platforms, PrioritizeRevocationChecks determines the ordering of processes for checking revocation of PKI certificates, such as certificates normally issued as part of data transfers using the HTTPS protocol. (This preferences applies only when CheckServerCertificate and CheckCertificateRevocation are both true.) Two methods are supported for checking whether a certificate has been revoked:
  • Certificate Revocation Lists (CRL), which require the client device to download a file listing all certificates revoked by the relevant Certification Authority
  • Online Certificate Status Protocol (OCSP), where the client device receives a response specific to the single certificate being checked.
The agent component(s) stop checking as soon as an authoritative revocation result (either affirmative or negative) is determined. For example, with the default value, if the networked OCSP check shows that the certificate is revoked, the CRL is not downloaded or checked.
Omitting one of the values from the string turns off that method of checking. For example, a command line parameter -o PrioritizeRevocationChecks="OCSP" limits checking to OCSP, and prevents download or checking of the CRL.
Tip: Beware of turning off a type of checking which may be uniquely specified in the server certificate (or any intermediate certificate up the chain). For example, if a certificate specifies a URI only for CRL checking, and you use this preference as -o PrioritizeRevocationChecks="OCSP", then every certificate check must by definition fail because of these contradictory settings. Recommended general practice is to use the default value, which uses the most efficient check first but fails over to the older technology if OCSP checking is not available for a certificate. Vary the setting only if your enterprise has an internal certificate authority and you are sure of the revocation settings for your internal certificates.

A null (or unrecognized) value is the same as not having the preference set in the registry: the default value is used in these cases.

Assuming that preferences allow revocation checking, the processing order for revocation checking is:
  1. The CRL cache is checked. (This is always first, regardless of the setting of PrioritizeRevocationChecks.)
  2. If the value of PrioritizeRevocationChecks includes OCSP (whether first or second), the OCSP cache is checked.
  3. When neither cache provides an authoritative result, networked resources are accessed in the order specified by PrioritizeRevocationChecks.
  4. When neither of the networked revocation checks provides an authoritative result, the check results in a hard failure, and data transfer between the client component and the inventory beacon cannot proceed using the HTTPS protocol.
This order may result in CRL checking being used longer than expected. An example scenario might be:
  1. CheckServerCertificate=True, CheckCertificateRevocation=True, PrioritizeRevocationChecks=OCSP,CRL. OCSP checking is on and given top priority.
  2. An HTTPS transfer is attempted, and for networking reasons the OCSP server is temporarily unavailable. Accordingly, fail-over occurs, so that the CRL is downloaded for the revocation check. Since it includes a nextUpdate setting a week in advance, the CRL is cached.
  3. Later (but within the week), another HTTPS transfer is attempted. Because there is a valid CRL in the cache, this is checked first (and provides the revocation result). A networked OCSP revocation check does not occur (despite the preference in PrioritizeRevocationChecks) until after the cached CRL expires.

Values

Values / range

A comma-separated list of two string literals, OCSP and CRL, in your chosen order.

Default value

OCSP,CRL

Example values

OCSP

Command line

Tool

Inventory component (ndtrack), and upload component (ndupload)

Example

-o PrioritizeRevocationChecks="CRL,OCSP"

Registry

Installed by

Code internals, or manual configuration

Computer preference

[Registry]\ManageSoft\Common or [Registry]\ManageSoft\<Component>\CurrentVersion where <Component> is the registry key for an individual component (Tracker, or Uploader)

IT Asset Management (Cloud)

Current