Certificate revocation checking

The MCP VMs support checking for SSL certificate revocation using Certificate Revocation Lists (CRLs) or the Online Certificate Status Protocol (OCSP).

This is configured in custom-config-data.yaml by setting the enable-ocsp and enable-crl parameters to the desired values. If both are configured, OCSP will take priority.

This parameter is reconfigurable.

If certificate revocation checking is enabled, MCP may require access to external servers to check the revocation status of the certificates used by the Microsoft Teams Phone System Consultation API and the Azure Active Directory (AAD) Token API.

When the enable-crl option is set to True, MCP needs to be able to connect to the CRL servers specified in the certificates presented by these API endpoints.

If the enable-ocsp option is set to True, MCP will initially request server-side OCSP stapling, which does not require any additional network access. However, if server-side OCSP stapling is unsuccessful, MCP will fall back to client-side OCSP, which requires that MCP is able to contact the OCSP server directly.

The CRL and OCSP servers for the Microsoft Teams Phone System consultation API and AAD token API endpoints are as follows:

Note that these are provided here as fully qualified domain names (FQDNs) as the IP address(es) that these FQDNs resolve to may change over time.

A list of IP addresses used by Digicert can be found at https://knowledge.digicert.com/alerts/digicert-certificate-status-ip-address

Tools such as nslookup may be used to determine the current IP addresses for the Microsoft OCSP and CRL endpoints.

TCP port 80 is used to connect outbound to both the CRL and OCSP servers.