CRL or OCSP to check certificate revocation

ISE has the ability to check certificate revocation status of certificates presented to it (e.g. a client's cert in a EAP-TLS setup).


I am keen to know what you all use in your real-world deployments?

CRL or OCSP or none


The CRL option is a no brainer but it reacts very slowly and it seems like a last resort method that eventually catches up.  Not to mention that CRL files can grow large.

OCSP seems technically better but fraught with issues (latency incurred in the checking, failure scenarios of OCSP server, stapling/must-staple, httpd support, etc)

Or no revocation checks - issue short-lived certs, and just wait for the expiry to kick in - rather block the user's AD/LDAP account and don't bother with the cert revocation



Poll Results
  • CRL (Certificate Revocation List) (33%)
  • OCSP (Online Certificate Status Protocol) (33%)
  • Don't use any certificate revocation checking (0%)
  • Other (please leave a comment) (33%)


Archive Poll

Confirm archive of CRL or OCSP to check certificate revocation

Archiving expires a poll and removes it from the active polls list.

To restore an archived poll, edit the poll, change the dates as desired, and save the poll.

Delete Poll

Warning: This will delete the poll and all of its comments.