You can prevent users who have revoked user certificates from authenticating with smart cards by configuring certificate revocation checking. Certificates are often revoked when a user leaves an organization, loses a smart card, or moves from one department to another.

Horizon 7 supports certificate revocation checking with certificate revocation lists (CRLs) and with the Online Certificate Status Protocol (OCSP). A CRL is a list of revoked certificates published by the CA that issued the certificates. OCSP is a certificate validation protocol that is used to get the revocation status of an X.509 certificate.

You can configure certificate revocation checking on a Connection Server instance or on a security server. When a Connection Server instance is paired with a security server, you configure certificate revocation checking on the security server. The CA must be accessible from the Connection Server or security server host.

You can configure both CRL and OCSP on the same Connection Server instance or security server. When you configure both types of certificate revocation checking, Horizon 7 attempts to use OCSP first and falls back to CRL if OCSP fails. Horizon 7 does not fall back to OCSP if CRL fails.