<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Certificate Revocation List (CRL) Checks Are Mandatory for Smart Card Authentication
Dec 16, 2025
Okta Classic Engine
Multi-Factor Authentication
Okta Identity Engine
Overview

This article explains that Certificate Revocation List (CRL) checks cannot be bypassed for Personal Identity Verification (PIV) or smart card authentication.

Applies To
  • Smart Card Authentication
  • PIV Authentication
Solution

Access to the CRL distribution points is required at all times for PIV and smart card authentication to support the certificate revocation process. Revocation checking is a critical security process. There is no supported method to disable or bypass CRL checks for smart card authentication, including for testing purposes.

 

Authentication fails if the CRL endpoint is not reachable. For testing, the environment must be configured to ensure its accessibility. For more information, please review Troubleshoot smart card or PIV authentication.

Recommended content

Still looking for help?
Loading
Certificate Revocation List (CRL) Checks Are Mandatory for Smart Card Authentication