Certificate revocation checking is applicable only to digital signature authentication methods. The RevocationChecking parameter in the IPSec policy file controls the level of certificate revocation checking that is performed during an IKE negotiation. The following three levels of revocation checking are supported:
You can specify the RevocationChecking parameter on the KeyExchangePolicy statement and the KeyExchangeAction statement. For more information about the KeyExchangePolicy statement and the KeyExchangeAction statement, see z/OS Communications Server: IP Configuration Reference.
The native IKED certificate service does not support the retrieval and checking of certificate revocation information. When the IKED is configured to use the native IKE daemon certificate service, the RevocationChecking parameter is ignored.
The NSS certificate service does support the retrieval and checking of certificate revocation information in the form of certificate revocation lists (CRLs). For information about the NSS server requirements for retrieving CRLs, see NSS server certificate revocation support. Ensure that these requirements can be met before you enable strict revocation checking in the IPSec policy file.