PrioritizeRevocationChecks
Command line | Registry
PrioritizeRevocationChecks
is supported only on UNIX-like
platforms. On Windows platforms, revocation checking behavior is determined by Group Policy.
For further details, see the Microsoft help topic How Certificate Revocation Works.PrioritizeRevocationChecks
determines the
ordering of processes for checking revocation of PKI certificates, such as certificates
normally issued as part of data transfers using the HTTPS protocol. (This preferences applies
only when CheckServerCertificate
and
CheckCertificateRevocation
are both true.) Two methods are supported for checking whether a certificate has been
revoked:- Certificate Revocation Lists (CRL), which require the client device to download a file listing all certificates revoked by the relevant certification authority (CA).
- Online Certificate Status Protocol (OCSP) stapling, which enables the certificate presenter to take on the resource cost of providing OCSP responses by appending ("stapling") a time-stamped OCSP response, signed by the CA, to the initial TLS handshake. This method eliminates the need for clients to directly contact the CA, enhancing both security and performance.
Omitting one of the values from the string turns off that method of checking. For example, a
command line parameter -o PrioritizeRevocationChecks="OCSPSTAPLING"
limits
checking to OCSP stapling, and prevents download or checking of the CRL.
If OCSP stapling is to be used, you must manually add it in this preference.
curl --cert-status https://your
server/
A null (or unrecognized) value is the same as not having the preference set in the registry. The default value is used in these cases.
Values
Values / range |
A comma-separated list of two string literals, OCSPSTAPLING and CRL, in your chosen order. |
Default value |
|
Example values |
|
Command line
Tool |
Inventory component (ndtrack), and upload component (ndupload) |
Example |
|
Registry
Installed by |
Code internals, or manual configuration |
Computer preference |
[Registry]\ManageSoft\Common or
[Registry]\ManageSoft\<Component>\CurrentVersion
where <Component> is the registry key for an
individual component (Tracker , or Uploader ) |
IT Asset Management (Cloud)
Current