Can CRL be used instead of OCSP for Certificate revocation in MID Security Policy?<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Table of Contents IntroductionEnhancement RequestWorkaround Introduction At the time of writing, MID Server checks on endpoint SSL/TLS Certificates for outbound requests support only OCSP for looking up revocation status. CRL is not supported. Docs: MID Server certificate check policies There are 2 standards for Revocation checks for web server SSL/TLS Certificates: Wikipedia: Online Certificate Status Protocol (OCSP)Wikipedia: Certificate Revocation List (CRL) The purpose of both is to have a way to query a Certificate Authority (CA) to see if a certificate has been revoked for whatever reason. It may work, still be within date, but should not be used any more. Most certificate CAs will support both. e.g. Here is the ServiceNow Support website's certificate. However some, such as internally generated certificates, might only support CRL. Enhancement Request An Enhancement request exists for this in the Idea Portal:MID Certificate policies to support CRL as an alternative to OCSP Customer are encouraged to Upvote this idea, and add your use cases/pain points. If there is enough demand, this may be considered for a future enhancement. Workaround Where this is a problem, it is likely to be for one specific endpoint, so the creation of an Override policy, turn turn off the Revocation check for that specific FQDN/IP Address is the recommended solution.Docs: MID Server certificate check policies e.g.