Certificate validation method

Enable this group policy to specify the certificate validation method.

There are two common methods for verifying the validity of a certificate: Online Certificate Status Protocol (OCSP) and Certificate Revocation List (CRL). Information about the status of certificates is stored on a revocation server. The security system of Mac OS X can check the revocation server to validate the certificate.

Detailed description of different validation option is listed as below:
1) Off: No revocation checking will be performed.
2) Best attempt: The certificate passes unless an indication of a bad certificate is returned from the server. This setting is best for most circumstances.
3) Require if cert indicates: If the URL to the revocation server is provided in the certificate, this setting requires a successful connection to a revocation server and no indication of a bad certificate. Use only in a tightly controlled environment that guarantees the presence of a CRL server or OCSP responder. If a CRL server or OCSP responder is not available, SSL and S/MIME evaluations could hang or fail.
4) Require for all certs: This setting requires successful validation of all certificates. Use only in a tightly controlled environment that guarantees the presence of a CRL server or OCSP responder. If a CRL server or OCSP responder is not available, SSL and S/MIME evaluations could hang or fail.

If you choose to validate the certificate via OCSP, you can specify a local responder to override that provided in the certificates.

The priority determines which method (OCSP or CRL) is attempted first. If the first method chosen returns a successful validation, the second method is not attempted.

Note that this group policy has no effect on the Keychain Access > Preferences > Certificates settings.
Keychain Access > Preferences are per-user settings, which are not used by a Mac computer during login.
This group policy changes Centrify SmartCardTool > Revocation settings, which represent the system settings used by a Mac computer during login.

Once this group policy is enabled, if it is then marked as Disabled / Not Configured, or if the managed Mac leaves the domain or uninstalls the Centrify software, the system settings plist file: /Library/Preferences/com.apple.security.revocation.plist will be deleted.

Supported on:

Certificate Revocation List:


  1. Off
    Registry HiveHKEY_LOCAL_MACHINE
    Registry PathSoftware\Policies\Centrify\CentrifyDC\Settings\Mac\Security\CertRevocationCheck
    Value NameCRLStyle
    Value TypeREG_SZ
    ValueNone
  2. Best attempt
    Registry HiveHKEY_LOCAL_MACHINE
    Registry PathSoftware\Policies\Centrify\CentrifyDC\Settings\Mac\Security\CertRevocationCheck
    Value NameCRLStyle
    Value TypeREG_SZ
    ValueBestAttempt
  3. Require if cert indicates
    Registry HiveHKEY_LOCAL_MACHINE
    Registry PathSoftware\Policies\Centrify\CentrifyDC\Settings\Mac\Security\CertRevocationCheck
    Value NameCRLStyle
    Value TypeREG_SZ
    ValueRequireIfPresent
  4. Require for all certs
    Registry HiveHKEY_LOCAL_MACHINE
    Registry PathSoftware\Policies\Centrify\CentrifyDC\Settings\Mac\Security\CertRevocationCheck
    Value NameCRLStyle
    Value TypeREG_SZ
    ValueRequireForAll

Online Certificate Status Protocol:


  1. Off
    Registry HiveHKEY_LOCAL_MACHINE
    Registry PathSoftware\Policies\Centrify\CentrifyDC\Settings\Mac\Security\CertRevocationCheck
    Value NameOCSPStyle
    Value TypeREG_SZ
    ValueNone
  2. Best attempt
    Registry HiveHKEY_LOCAL_MACHINE
    Registry PathSoftware\Policies\Centrify\CentrifyDC\Settings\Mac\Security\CertRevocationCheck
    Value NameOCSPStyle
    Value TypeREG_SZ
    ValueBestAttempt
  3. Require if cert indicates
    Registry HiveHKEY_LOCAL_MACHINE
    Registry PathSoftware\Policies\Centrify\CentrifyDC\Settings\Mac\Security\CertRevocationCheck
    Value NameOCSPStyle
    Value TypeREG_SZ
    ValueRequireIfPresent
  4. Require for all certs
    Registry HiveHKEY_LOCAL_MACHINE
    Registry PathSoftware\Policies\Centrify\CentrifyDC\Settings\Mac\Security\CertRevocationCheck
    Value NameOCSPStyle
    Value TypeREG_SZ
    ValueRequireForAll

Local Responder:

Registry HiveHKEY_LOCAL_MACHINE
Registry PathSoftware\Policies\Centrify\CentrifyDC\Settings\Mac\Security\CertRevocationCheck
Value NameOCSPLocalResponder
Value TypeREG_SZ
Default Value
Priority:


  1. OCSP
    Registry HiveHKEY_LOCAL_MACHINE
    Registry PathSoftware\Policies\Centrify\CentrifyDC\Settings\Mac\Security\CertRevocationCheck
    Value NameRevocationFirst
    Value TypeREG_SZ
    ValueOCSP
  2. CRL
    Registry HiveHKEY_LOCAL_MACHINE
    Registry PathSoftware\Policies\Centrify\CentrifyDC\Settings\Mac\Security\CertRevocationCheck
    Value NameRevocationFirst
    Value TypeREG_SZ
    ValueCRL
  3. Require both
    Registry HiveHKEY_LOCAL_MACHINE
    Registry PathSoftware\Policies\Centrify\CentrifyDC\Settings\Mac\Security\CertRevocationCheck
    Value NameRevocationFirst
    Value TypeREG_SZ
    ValueBoth


centrify_mac_settings.admx

Administrative Templates (Computers)

Administrative Templates (Users)