You can prevent users who have revoked user certificates from authenticating with smart cards by configuring certificate revocation checking. Certificates are often revoked when a user leaves an organization, loses a smart card, or moves from one department to another.

VMware Horizon supports certificate revocation checking with certificate revocation lists (CRLs) and with the Online Certificate Status Protocol (OCSP). A CRL is a list of revoked certificates published by the CA that issued the certificates. OCSP is a certificate validation protocol that is used to get the revocation status of an X.509 certificate.

You can configure certificate revocation checking on a Connection Server instance. The CA must be accessible from the Connection Server host.

You can configure both CRL and OCSP on the same Connection Server instance. When you configure both types of certificate revocation checking, attempts to use OCSP first and falls back to CRL if OCSP fails. VMware Horizon does not fall back to OCSP if CRL fails.