Enable certificate revocation checking in a domain

Before you begin

Configure the identity and trust keystores for WebLogic Server. See Configure identity and trust and Configuring Keystores.

For information about certificate revocation checking, see X.509 Certificate Revocation Checking.

If you Enable automatic realm restart in the default security realm, you do not need to restart WebLogic Server after enabling certificate revocation checking.

To enable X.509 certificate revocation checking in a WebLogic domain:

If you have not already done so, in the Change Center of the Administration Console, click Lock & Edit (see Use the Change Center).
In the left pane of the Console, under Domain Structure, select the domain name.
Select Security > SSL Certificate Revocation Checking > General and select the Enable Certificate Revocation Checking check box to enable X.509 Certificate Revocation checking.
Optionally, you can select the certificate revocation checking method order in Revocation Checks.
By default, when WebLogic Server checks a certificate's revocation status, it uses OCSP. If OCSP returns the certificate's status as "unknown," WebLogic Server then checks CRLs. However, you can change the checking method and order by selecting one of the following alternatives:
- OCSP — Configures WebLogic Server to use only OCSP for CR checking
- CRL — Configures WebLogic Server to use only CRLs for CR checking
- CRL then OCSP — Configures WebLogic Server to use CRLs. If the CRLs cannot determine the certificate's revocation status, WebLogic Server then uses OCSP.
By default, if an X.509 certificate’s revocation status cannot be determined by any of the selected checking methods, the certificate can still be accepted if the SSL certificate path validation is otherwise successful. To fail SSL certificate path validation for a certificate whose revocation status cannot be determined, select the Fail On Unknown Revocation Status check box.
Click Save.
In the Change Center, click Activate Changes. If automatic realm restart is enabled in the default realm, you do not need to restart WebLogic Server for changes to go into effect.

After you finish

After you enable certificate revocation checking in the domain, you can optionally do the following:

Customize the OCSP configuration. For information, see Customize the domain-wide OCSP settings.
Customize the CRL configuration. For information, see Customize the domain-wide CRL settings.
Configure certificate authority overrides to the certificate revocation configuration. For information, see Configure certificate authority overrides.

Administration Console Online Help

Enable certificate revocation checking in a domain