Checking certificate status with PKITP

PKITP checks the revocation status of a certificate by retrieving certificate revocation lists (CRLs) or, when specified in the certificate, by invoking an online validation service that uses the online certificate status protocol (OCSP).

PKITP certificate revocation checking is performed when useCRLS is set higher than 0. It follows the sequence of validation stages shown in Table 1.

Table 1. Sequence of validation stages for PKITP certificate revocation checking
Validation stage	Description
OCSP responder	The trust policy invokes the OCSP responder specified in the AuthInfoAccess extension. If none is specified or if the trust policy fails to receive certificate status from the OCSP responder, it proceeds to the next stage.
DP CRL, using the URI format	The trust policy searches for the DP CRL using the directories, if any, listed in URI format in the CRLDistributionPoints extension in the order they appear. If the DP CRL is found, it is used to determine if the certificate is revoked. If the trust policy fails to find the DP CRL using the URI formats, it proceeds to the next stage.
DP CRL, using the distinguished-name format	The trust policy searches for the DP CRL in the LDAP directories attached through the distinguished name specified, if any, in the CRLDistributionPoints extension. If the trust policy fails to find the DP CRL using the distinguished name and the extension is not marked critical, it proceeds to the next stage. If the trust policy fails to find the DP CRL and the extension is marked critical, the validation fails and error code `8029` (CRL not found) is returned. If DP CRL processing is not to be performed (`useCRLS` is set to `0`) and the target certificate contains a CRLDistributionPoints extension marked critical, validation fails and error code `8029` is returned. No attempt is made to locate the DP CRL.
Global revocation list	The trust policy uses the global CRL to find revocation status information for the certificate.