Neither Certificate Revocation Lists (CRLs) nor Online Certificate Status Protocol (OCSP) are supported. If a controller certificate is revoked or compromised the PKI must issue a new controller certificate chain and certificate. The original controller CA certificate(s) must be cleared from the switch's configuration and replaced with the new CA certificate(s).