Hi @Step to IT,
This behavior is "By design". “Online” certificate revocation status checks using Certificate Revocation List (CRL) or OCSP URLs included in certificates are disabled by default. This is because unless a client, like Chrome, refuses to connect to a website if it cannot get a valid response, online checks offer limited security value. You can refer to this link: https://chromium.googlesource.com/chromium/src/+/refs/heads/main/docs/security/faq.md#what_s-the-story-with-certificate-revocation.
There are two relevant policies that can change the Edge Revocation Checking configuration away from the default:
1.https://docs.microsoft.com/en-us/deployedge/microsoft-edge-policies#enableonlinerevocationchecks This enables soft-fail online revocation checks. If the certificate does not contain revocation information, the certificate is deemed valid. If the revocation check does not complete (e.g. inaccessible CA), the certificate is deemed valid. If the certificate revocation check successfully returns that the certificate was revoked, the certificate is deemed invalid.
2.https://docs.microsoft.com/en-us/deployedge/microsoft-edge-policies#requireonlinerevocationchecksforlocalanchors This enables hard-fail online revocation checks for certificates whose trust anchor is a locally trusted root (e.g. an enterprise CA, not a public CA). If the certificate does not contain revocation information, the certificate is deemed invalid. If the revocation check does not complete (e.g. inaccessible CA), the certificate is deemed invalid. If the certificate revocation check successfully returns that the certificate was revoked, the certificate is deemed invalid.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Best regards,
Jinxin Wang