The validation of a chain is performed in the following manner (but not necessarily in the following order):
Only LDAP format URIs are supported. If the extension is not present, the name of the certificate's issuer is used. A CRL database (LDAP) is then queried for CRLs. If the certificate is not the last certificate, or if the last certificate has the basic constraint extension with the "isCA" flag turned on, the database is queried for ARLs and CRLs instead. If CRL checking is enabled, and no CRL database can be queried, the certificate is treated as revoked. Currently, the X500 directory name form and the LDAP URI form are the only supported name forms used to look up CRLs and ARLs4
The validation of a CRL is also performed to ensure that the CRL itself is valid, and is performed in the following manner (but not necessarily the following order):
A potential scenario exists where the CA who issues a CRL might set an unknown critical extension to indicate that even though all other validation checks are successful, a certificate which is identified should not be considered revoked and thus not rejected by the application. In this scenario, following X.509, WebSphere MQ for UNIX and Windows systems will function in a fail-secure mode of operation. That is, they might reject certificates that the CA did not intend to be rejected and therefore might deny service to some valid users. A fail-insecure mode ignores a CRL because it has an unknown critical extension and therefore certificates that the CA intended to be revoked are still accepted. The administrator of the system should then query this behavior with the issuing CA.