Add—Click to add an account partner verification certificate.
 | Note |
|
Your account partner must send you the verification certificate. |
Remove—Click to delete the highlighted certificate from the list of verification certificates.
| Note |
|
You cannot delete the last certificate because at least one certificate must be present. |
View—Click to view a description of the highlighted certificate in the list of verification certificates.
Revocation Settings
Check the end certificate—This option checks to see if the end certificate in the certificate chain has been revoked. Selecting this option can increase performance because only the certificate revocation list (CRL) that is associated with the certification authority (CA) that issued the end certificate is checked for revocation status, instead of any CRLs that are higher in the certificate chain than that end certificate's CA.
 | Caution |
|
Select this option only if you trust the CA that issued the end certificate. |
Check the end Certificate in the Cache only—This option performs the same actions as Check the end certificate, but instead of checking revocation status from the CA that issued the end certificate directly, revocation checking is performed on a CRL that has been imported into the Local Machine store.
| Note |
|
If this option is selected and the time stamp for the CRL in the Local Machine store is not current, AD FS communications fail. |
Check the entire Certificate Chain—This option checks revocation status on every certificate in the chain, including the root certificate. Although most revocation checks exclude checking the root certificate, this option runs a check to verify that the root certificate has not been revoked.
Check the entire Certificate Chain in the Cache only—This option performs the same actions as Check the entire Certificate Chain, but instead of checking revocation status from the CA that issued the root certificate directly, revocation checking is performed on a CRL that has been imported into the Local Machine store.
| Note |
|
If this option is selected and the time stamp for the CRL in the Local Machine store is not current, AD FS communications fail. |
Check the entire Chain excluding the Root—This option checks revocation status on every certificate in the chain except for the root certificate. This option is the default setting for revocation checking in AD FS.
Check the entire Chain excluding the Root in the Cache only—This option performs the same actions as Check the entire Chain excluding the Root, but instead of checking revocation status from the CAs that issued the certificates directly, revocation checking is performed on a CRL that has been imported into the Local Machine store.
| Note |
|
If this option is selected and the time stamp for the CRL in the Local Machine store is not current, AD FS communications fail. |