We are looking at creating an internal PKI. There is one point I am unsure about regarding certificate revocation checking....we can possible use CRL or OCSP, however how does the entity checking the revocation list know which one to use?
Secondly, I see we can publish certificates in Active Directory. When we do so, does the entity checking whether the certificate check for the presence of the certificate against the user object in AD or still use CRL/OCSP only?