Parameter:
NOCRLCheckShort description: Disables certificate revocation list (CRL) checking for SSL/TLS connections – security-sensitive, use only when necessary.
Profile
Parameter | NOCRLCheck |
Category | Security / TLS |
Component | Server, Client |
Available since | R6 |
Supported versions | 9.0.1, 10.0, 11.0, 12.0, 14.0, 14.5 |
GUI equivalent | notes.ini only (no GUI) |
Possible values | 0 = CRL check active (default), 1 = skip CRL check |
Description
With
NOCRLCheck=1, Domino / Notes skips Certificate Revocation List (CRL) checks during SSL/TLS handshakes. Useful when the server runs on isolated networks without internet access, or when the CA's CRL endpoints are unreachable – otherwise the missing CRL response blocks legitimate TLS connections.From a security perspective, this is a compromise: revoked certificates are no longer rejected afterwards. The recommended alternative is therefore to use OCSP stapling or at least to make the CRL servers temporarily reachable.
Example configuration
NOCRLCheck=1
Notes & pitfalls
- Enabling significantly weakens TLS security – document and limit in time.
- Useful, for example, for air-gap servers with an internal CA and a manual revocation workflow.
- For internet-exposed servers, definitely leave
NOCRLCheck=0.
- Pairs with
SSLEnableProxiedConnect,SSLCipherSpec, etc.
- The change takes effect only after a restart of the respective tasks.