I had revoked the certificate and when tried to login into application with the revoked certificate i am able to login successfully into the application. Now after(5-6 hours)i had observed the revoked certificate at CA and it says that it is revoked by CA. Now when i tried to login into the application with the revoked certificate then "403 - Forbidden: Access is denied" message is shown. According to us when a certificate is made revoked then certificate must be made invalid by checking the certificate weather it is revoked or unrevoked. But this is not happening because IIS is checking the certificate status using OCSP and our main engine is not performing the OCSP Validation. Can any one explain how IIS acts when a certificate is revoked.

Can i know weather IIS check the client certificate status using Online Provider.

Hi, As this issue is related to IIS, I suggest discussing it in our IIS forum. They are the best resource to troubleshoot this issue. http://forums.iis.net/ Tim Quan - MSFT