RevocationConfig (common.tls) Configuration

Configuration options

Table 1. Optional configuration options
key	type	default value	description
`check-only-end-entity`	boolean	`false`	Only check the revocation status of end-entity certificates. Default value is `false`.
`enabled`	boolean	`false`	Flag indicating whether this revocation config is enabled.
`fallback-enabled`	boolean	`true`	Enable fallback to the less preferred checking option. If the primary method for revocation checking fails to verify the revocation status of a certificate (such as using a CRL or OCSP), the checker will attempt alternative methods. This option ensures whether revocation checking is performed strictly according to the specified method, or should fallback to the one less preferred. OCSP is preferred over the CRL by default.
`ocsp-responder-uri`	URI		The URI that identifies the location of the OCSP responder. This overrides the `ocsp.responderURL` security property and any responder specified in a certificate’s Authority Information Access Extension, as defined in RFC 5280.
`prefer-crl-over-ocsp`	boolean	`false`	Prefer CRL over OCSP. Default value is `false`. OCSP is preferred over the CRL by default.
`soft-fail-enabled`	boolean	`false`	Allow revocation check to succeed if the revocation status cannot be determined for one of the following reasons: The CRL or OCSP response cannot be obtained because of a network error. The OCSP responder returns one of the following errors specified in section 2.3 of RFC 2560: internalError or tryLater.