CRL vs Checking if account is disabled

Question

When it comes to CAC authentication, is there a particular benefit in checking if certificates from the CAC were revoked using a CRL as opposed to parsing out the CN value(identifier in AD) to see if the account is enabled?&nbsp;
I do not know what the common practice is in system administration for disabling accounts and revoking certificates, so I am really unable to answer this question. If the two actions are tied together, say when the certs are revoked the AD account is set to disabled, is there a key advantage in performing one over the other? My intuition leads me to believe that checking against the AD would 'always' be more accurate than the CRL or even OCSP. In other words, I feel that checking in AD to see if the account is disabled is more "authoritative" over a CRL.&nbsp;

boneyard · Answer

i agree with you, CRLs are more meant when there isn't another source to check. i mean an AD is not always involved and then CRLs are nice. but certainly the delay can be an issue.&nbsp;

Forum Discussion

CRL vs Checking if account is disabled

1 Reply

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Failing over Virtual F5 VE to DR location using Zerto

Failing over of a Virtual F5 configuration to another location using Zerto restore process

F5 Networks F5CAB1 Exam - Need Help Regarding Prep

Username is not filled in EdgeClient in the Modern customization

The GSLB pool is providing an incorrect IP to end users

Related Content

BIG-IP security hardening and compliance checks

Create a DevCentral account

Change admin account

Creating local user account

ForgeRock with F5 Distributed Cloud (XC) Account Protection and Authentication Intelligence

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS