Administration Console Online Help

Previous Next Open TOC in new window
Content starts here

Enable certificate revocation checking in a domain

Before you begin

For information about certificate revocation checking, see X.509 Certificate Revocation Checking.


To enable X.509 certificate revocation checking in a WebLogic domain:

  1. If you have not already done so, in the Change Center of the Administration Console, click Lock & Edit (see Use the Change Center).
  2. In the left pane of the Console, under Domain Structure, select the domain name.
  3. Select Security > SSL Certificate Revocation Checking > General and select the Enable Certificate Revocation Checking check box to enable X.509 Certificate Revocation checking.
  4. Optionally, you can select the certificate revocation checking method order in Revocation Checks.

    By default, when WebLogic Server checks a certificate's revocation status, it uses OCSP. If OCSP returns the certificate's status as "unknown," WebLogic Server then checks CRLs. However, you can change the checking method and order by selecting one of the following alternatives:

    • OCSP — Configures WebLogic Server to use only OCSP for CR checking
    • CRL — Configures WebLogic Server to use only CRLs for CR checking
    • CRL then OCSP — Configures WebLogic Server to use CRLs. If the CRLs cannot determine the certificate's revocation status, WebLogic Server then uses OCSP.
  5. By default, if an X.509 certificate’s revocation status cannot be determined by any of the selected checking methods, the certificate can still be accepted if the SSL certificate path validation is otherwise successful. To fail SSL certificate path validation for a certificate whose revocation status cannot be determined, select the Fail On Unknown Revocation Status check box.
  6. Click Save.
  7. To activate these changes, in the Change Center of the Administration Console, click Activate Changes.
    Not all changes take effect immediately—some require a restart (see Use the Change Center).

After you finish

After you enable certificate revocation checking in the domain, you can optionally do the following:


Back to Top