S/MIME certificates include a reference to a CRL (Certificate Revocation List) or OCSP (Online Certificate Status Protocol) distribution point.
The CRL distribution point is defined in the CRL Distribution Points field within the certificate and lists a URL accessible over HTTP, LDAP or both.
The OCSP distribution point is defined in the Authority Information Access field and lists a URL accessible over HTTP.
If neither the CRL or OCSP distribution points for a certificate can be accessed by Symantec Encryption Management Server, messages can still be encrypted using the revoked certificate. This is the case if, for example, Symantec Encryption Management Server is blocked by a firewall from connecting to remote hosts over HTTP and/or LDAP.
The Mail log will contain the following records when the CRL and OCSP distribution points are unavailable:
2016/04/26 17:35:49 +01:00 INFO pgp/messaging: SMTP-00001: Unable to find valid OCSP server
2016/04/26 17:35:49 +01:00 WARN pgp/messaging: SMTP-00001: Could not retrieve URL http://server.name:80/crlfile.crl: couldn't connect to server/
server.name is the DNS name of the server containing the CRL and
crlfile.crl is the name of the CRL file.
Symantec Encryption Management Server needs to be able to access URLs using HTTP or LDAP in order to be able to determine whether an S/MIME certificate is revoked. Please ensure that outbound HTTP and LDAP are not blocked by a firewall if this functionality is required.
By design, Symantec Encryption Management Server will encrypt using an S/MIME certificate if its revocation status cannot be discovered using CRL or OCSP.