Adding CVE checks to the configuration

When you are satisfied with certificate verification using Deny self-signed certificates and Verify entire certificate chain with the CRL check, you can start to enable additional verification options. Enable options one at a time and repeat the same testing procedures.

Note: If you are following the recommended steps, “Check certificate revocation by CRL” is already enabled.

For each option enabled, when there is a certificate verification failure, an incident is added to the Incident List. Begin troubleshooting by examining the Incident List. See Troubleshooting Certificate Verification Failures.

Important: To reduce administrative overhead, do not enable checks that aren’t required by your IT security policy.

For more information on CVE options, see Validating certificates.