![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 50%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
1,923 questions
There are two parts to this question.
Will the LDAP CRL be used if the HTTP CRL location is not available, the simpe answer is yes, the revocation process will try the list of URL in the CRL extention in order. This makes the assumption that the CRLs has been published in all the specifed locations.
The second part will the client still work if the HTTP CRL location is off line, this is a little more complicated as there are a number of consideration. Is the client configured to perform a certificate revocation test, has the CRL been cached on the client, is the LADP CRL location available before 802.1x tunnel has been established.
Another option is to extended the CRL validation time so the local cache will be used if the CRL location is offline. see this page for more details.
As always I would test the impact before switching off the server, probably the easiest way to do this to update the hosts configuration file to provide a invalid IP address for the server hosting the HTTP CRL.
Gary.