Certificate validation method
Enable this group policy to specify the certificate validation method.
There are two common methods for verifying the validity of a certificate: Online Certificate Status Protocol (OCSP) and Certificate Revocation List (CRL). Information about the status of certificates is stored on a revocation server. The security system of Mac OS X can check the revocation server to validate the certificate.
Detailed description of different validation option is listed as below:
1) Off: No revocation checking will be performed.
2) Best attempt: The certificate passes unless an indication of a bad certificate is returned from the server. This setting is best for most circumstances.
3) Require if cert indicates: If the URL to the revocation server is provided in the certificate, this setting requires a successful connection to a revocation server and no indication of a bad certificate. Use only in a tightly controlled environment that guarantees the presence of a CRL server or OCSP responder. If a CRL server or OCSP responder is not available, SSL and S/MIME evaluations could hang or fail.
4) Require for all certs: This setting requires successful validation of all certificates. Use only in a tightly controlled environment that guarantees the presence of a CRL server or OCSP responder. If a CRL server or OCSP responder is not available, SSL and S/MIME evaluations could hang or fail.
If you choose to validate the certificate via OCSP, you can specify a local responder to override that provided in the certificates.
The priority determines which method (OCSP or CRL) is attempted first. If the first method chosen returns a successful validation, the second method is not attempted.
Note that this group policy has no effect on the Keychain Access > Preferences > Certificates settings.
Keychain Access > Preferences are per-user settings, which are not used by a Mac computer during login.
This group policy changes Centrify SmartCardTool > Revocation settings, which represent the system settings used by a Mac computer during login.
Once this group policy is enabled, if it is then marked as Disabled / Not Configured, or if the managed Mac leaves the domain or uninstalls the Centrify software, the system settings plist file: /Library/Preferences/com.apple.security.revocation.plist will be deleted.
Supported on:
centrify_mac_settings.admx