There are two settings that control if and how the agent checks to see whether a file’s certificate has been revoked:
- Initial Revocation Check
- This check determines whether and how a certificate revocation check is done when a file is initially discovered on an agent.
- Background Revocation Check
- This check determines whether and how a certificate revocation check is done in the background every 24 hours.
For each of the revocation settings, there are three possible values:
- If revocation information is not locally available, then use the network to retrieve the revocation status of a certificate.
- Use locally available revocation status information when performing certificate revocation (the networkis not used).
- Do not perform certificate revocation checking.
Consider your agent deployment scenario when setting these values — they can impact agent performance. For example, if you have offline agents, you might want to avoid using the Network option, especially for the Initial Revocation Check. The daily revocation check is performed in the background and is less likely to have a negative impact on agent performance, whereas the initial revocation check setting can have a noticeable effect on agent performance.
Regardless of whether agent-based certificate revocation checks are enabled, the Carbon Black App Control Server validates certificates in its inventory on a recurring basis to make sure that they have not been revoked. This validation generally occurs on a weekly basis and involves downloading certificate revocation lists (CRLs) from registration authorities or making Online Certificate Status Protocol (OCSP) calls to OCSP responders. These downloads can involve a variety of sites in a variety of countries.
Server-based validation checks inform administrators when the status of a certificate changes, but they do not affect enforcement of rules. Enable agent-based revocation checks if you want revocations to affect rule behavior.