Enabling the CVE
Now that SSL support is on and stable, with Deny self-signed certificates and Verify entire certificate chain enabled, enable the CVE with CRL checking enabled. The CRL check is an essential certificate verification check that rarely fails in error.
Repeat the testing performed after SSL was enabled.
If a certificate fails because it is on a revocation list, a fast and easy way to confirm the revocation status is to use a web-hosted certificate verification tool. Using a browser and a common Search site, search for “SSL checker”.
Select a site that you trust and enter the exact URL of the site that failed.
At this stage, to minimize disruption to users, you may also want to enable Verification Bypass. See CVE with Verification Bypass enabled.