When the revocation checking is enabled, all client certificates must include a CDP extension pointing to an up-to-date CRL. Handshakes will not complete if the client certificate does not include a CDP extension or the URL in this extension is unavailable.