If your system uses a proxy server between client applications and the Messaging Server, CRL checking can be blocked despite the fact that you correctly configured the S/MIME applet to perform CRL checking. When this problem occurs, users of Communications Express Mail receive error messages alerting them to revoked or unknown status for valid key certificates.
The following conditions cause the problem:
CRL checking is requested with these configuration values:
crlenable parameter in the smime.conf file is set to 1
local.webmail.cert.enable option of Messaging Server is set to 1
The communications link between the S/MIME applet and the proxy server is not secured with SSL, but the S/MIME applet is expecting a secured link because the checkoverssl parameter in the smime.conf file is set to 1
To solve this problem, you can:
Set up the communications link between the client machines and proxy server as a secured link with SSL and leave all the configuration values as they are. Or,
Leave the communications link unsecured and set checkoverssl to 0.
For more information see 24.7 Securing Internet Links With SSL.