The revocation provider retrieves the certificate revocation list (CRL) from a certification authority (CA) and uses the revocation list to determine the revocation status of a certificate. Use the Revocation Provider property sheet to specify one or more locations for a CRL and optional delta CRL, and to define the refresh interval for retrieving updated CRLs.

Base CRL and delta CRL locations

The location of CRLs and delta CRLs can be specified in the formats described in the table below. Any CRL locations defined in the CRL distribution point extension of the CA certificate are added to the revocation provider during installation of the Online Responder service.

Location format Example

HTTP

http://OnlineResponderHost/OCSP/CRLFile.crl

LDAP

ldap:///CN=CACommonName,CN=CAHostName,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=Fabrikam,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint

Multiple locations can be provided for a CRL. The order of the list defines the order of precedence. A CRL listed at a higher position is used if any two CRLs do not contain the same revocation list.

Refresh interval

The default refresh interval is defined as the CRL validity period. The interval can also be defined in minutes to refresh the CRLs more frequently.

Additional references