The process of certificate validation is similar to the process used to authorize credit card transactions. To begin with, a relying party, which is client or server software that checks signed data using another private key, verifies that the certificate hasn’t been revoked, as part of the run-time use of X509v3 certificates.

Then a certificate chain should be constructed, up to a trusted root. Each certificate should then be checked to determine that it hasn’t been revoked. The relying party then has three choices of revocation checking mechanisms:

Fetch CRL and cache and use it as a basis for checking revocation status (CRL/CRL DP)
Ask an OCSP responder for status (revoked, good, or unknown)
Use SCVP to delegate chain building and validation to the Validation Authority