Currently in our environment, we have CRL checking enabled for ADFS, but do we also need to leave CRL checking enabled for IIS7.5? Our IIS server is setup behind a firewall for outgoing traffic only, no incoming traffic.
Are there any benefits/issues we might run into if disable CRL checking? I haven't been able to find a proper answer to my question anywhere, so I thought I'd post a question here.
Thanks.
The top benefit is performance boost, as CRL checking is slow.
The top disadvantage is security where you allow revoked certificates to pass when CRL checking is disabled.
I know i am late here but few days before i worked with client ssl certificate authentication an i got sc-status 403 sc-substatus 13 (403.16) from IIS. It was about CRL check for certificate revocation.
We could disable/enable it but the best practices is to keep it enable only if you are integrating Certifying Authorities certificates of your country in your app.
If you working with self created certificate then you might disable it.
