Certificate validation methods in IBM MQ AMS

You can use IBM® MQ Advanced Message Security to detect and reject revoked certificates so that messages on your queues are not protected using certificates that do not fulfill security standards.

IBM MQ AMS allows you to verify a certificate validity by using either Online Certificate Status Protocol (OCSP) or certificate revocation list (CRL).

IBM MQ AMS can be configured for either OCSP or CRL checking or both. If both methods are enabled, then, for performance reasons, IBM MQ AMS uses OCSP for revocation status first. If the revocation status of a certificate is undetermined after the OCSP checking, IBM MQ AMS uses the CRL checking.

Note that both OCSP and CRL checking are enabled by default.