• CRL or OCSP URL is not reachable
• CRL is too large
• Using FIPS mode and OCSP
• Using FIPS mode with OCSP and CRL

• CRL revocation checking is client based and prone to out of memory conditions downloading and processing large CRLs
• OCSP is not compatible with FIPS mode
• CRL or OCSP URLs are not reachable from vCenter Server due to firewall blocking

• If non-FIPS, use OCSP (server based revocation checking) instead of CRL
  
  
  • Will be fixed in a future vSphere release.
    
    
• Ensure that the CRL or OCSP URLs are reachable from vCenter Server and not blocked by firewall
  
  
  • curl https://crl_ocsp_url
    
    
• Use an alternate CRL
  
  
  • Set Revocation Policies for Smart Card Authentication
    
    
    • Use CRL from certificate By default, vCenter Single Sign-On checks the location of the CRL that is defined in the certificate being validated. Deactivate this option if the CRL Distribution Point extension is absent from the certificate or if you want to override the default. CRL location Use this property if you deactivate Use CRL from certificate and you want to specify a location (file or HTTP URL) where the CRL is located.

Workaround:
If using FIPS mode, use OCSP and CRL.

Considerations When Using FIPS

When you activate FIPS, vCenter Server supports only cryptographic modules for federated authentication. As a result, RSA SecureID and some CAC cards no longer function.

Set Revocation Policies for Smart Card Authentication

Both OSCP and CRL

If the issuing CA supports both an OCSP responder and a CRL, vCenter Single Sign-On checks the OCSP responder first. If the responder returns an unknown status or is not available, vCenter Single Sign-On checks the CRL. For this case, activate both OCSP checking and CRL checking, and activate CRL as failover for OCSP.

If CRL is too large, increase memory on the two services tied to websso:

• vmware-stsd
• vsphere-ui