diff --git a/base/ocsp/src/main/java/com/netscape/cms/ocsp/CRLLdapValidator.java b/base/ocsp/src/main/java/com/netscape/cms/ocsp/CRLLdapValidator.java
index 857eff7b7f9..0b6ea60cf07 100644
--- a/base/ocsp/src/main/java/com/netscape/cms/ocsp/CRLLdapValidator.java
+++ b/base/ocsp/src/main/java/com/netscape/cms/ocsp/CRLLdapValidator.java
@@ -43,7 +43,7 @@ public CRLLdapValidator(LDAPStore crlStore) {
 
     @Override
     public boolean approve(X509Certificate certificate, ValidityStatus currentStatus) {
-        logger.info("CRLLdapValidator: validate of peer's certificate for the connection " + certificate.getSubjectDN().toString());
+        logger.info("CRLLdapValidator: validate of peer's certificate for the connection " + certificate.getSubjectDN());
         ICRLIssuingPointRecord pt = null;
         try {
             Enumeration<ICRLIssuingPointRecord> eCRL = crlStore.searchAllCRLIssuingPointRecord(-1);
@@ -55,11 +55,11 @@ public boolean approve(X509Certificate certificate, ValidityStatus currentStatus
                 }
             }
         } catch (EBaseException e) {
-            logger.error("CRLLdapValidator: problem find CRL issuing point for " + certificate.getIssuerDN().toString());
+            logger.error("CRLLdapValidator: problem find CRL issuing point. " + e.getMessage(), e);
             return false;
         }
         if (pt == null) {
-            logger.error("CRLLdapValidator: CRL issuing point not found for " + certificate.getIssuerDN().toString());
+            logger.error("CRLLdapValidator: CRL issuing point not found for " + certificate.getIssuerDN());
             return false;
         }
         try {
@@ -72,7 +72,7 @@ public boolean approve(X509Certificate certificate, ValidityStatus currentStatus
                 }
             }
         } catch (Exception e) {
-            logger.error("CRLLdapValidator: crl check error. " + e.getMessage());
+            logger.error("CRLLdapValidator: crl check error. " + e.getMessage(), e);
         }
         logger.info("CRLLdapValidator: peer certificate not valid");
         return false;
diff --git a/base/ocsp/src/main/java/com/netscape/cms/ocsp/LDAPStore.java b/base/ocsp/src/main/java/com/netscape/cms/ocsp/LDAPStore.java
index 379a8bcdbeb..40238ca89fc 100644
--- a/base/ocsp/src/main/java/com/netscape/cms/ocsp/LDAPStore.java
+++ b/base/ocsp/src/main/java/com/netscape/cms/ocsp/LDAPStore.java
@@ -242,7 +242,7 @@ public void startup() throws EBaseException {
             updater.start();
         }
         if(mCheckConnection) {
-            CMS.setApprovalCallbask(new CRLLdapValidator(this));
+            CMS.getCMSEngine().setApprovalCallback(new CRLLdapValidator(this));
         }
     }
 
diff --git a/base/ocsp/src/main/java/org/dogtagpki/server/ocsp/OCSPEngine.java b/base/ocsp/src/main/java/org/dogtagpki/server/ocsp/OCSPEngine.java
index db1941f744b..a4644552064 100644
--- a/base/ocsp/src/main/java/org/dogtagpki/server/ocsp/OCSPEngine.java
+++ b/base/ocsp/src/main/java/org/dogtagpki/server/ocsp/OCSPEngine.java
@@ -142,11 +142,11 @@ public boolean isRevoked(X509Certificate[] certificates) {
         }
 
         for (X509Certificate cert: certificates) {
-            if(crlCertValid(crlStore, cert, null)) {
-                return false;
+            if(!crlCertValid(crlStore, cert, null)) {
+                return true;
             }
         }
-        return true;
+        return false;
 
     }
 
diff --git a/base/server/src/main/java/com/netscape/cmscore/apps/CMS.java b/base/server/src/main/java/com/netscape/cmscore/apps/CMS.java
index 3e1e41a9c19..a5b8a1be6f3 100644
--- a/base/server/src/main/java/com/netscape/cmscore/apps/CMS.java
+++ b/base/server/src/main/java/com/netscape/cmscore/apps/CMS.java
@@ -23,7 +23,6 @@
 import java.util.Locale;
 import java.util.ResourceBundle;
 
-import org.mozilla.jss.ssl.SSLCertificateApprovalCallback;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -54,8 +53,6 @@ public final class CMS {
 
     private static CMSEngine engine;
 
-    private static SSLCertificateApprovalCallback approvalCallback;
-
     public static CMSEngine getCMSEngine() {
         return engine;
     }
@@ -64,14 +61,6 @@ public static void setCMSEngine(CMSEngine engine) {
         CMS.engine = engine;
     }
 
-    public static SSLCertificateApprovalCallback getApprovalCallback() {
-        return approvalCallback;
-    }
-
-    public static void setApprovalCallbask(SSLCertificateApprovalCallback approvalCallback) {
-        CMS.approvalCallback = approvalCallback;
-    }
-
     /**
      * Return the product name from /usr/share/pki/CS_SERVER_VERSION
      * which is provided by the server theme package.
diff --git a/base/server/src/main/java/com/netscape/cmscore/apps/CMSEngine.java b/base/server/src/main/java/com/netscape/cmscore/apps/CMSEngine.java
index 07b00092925..dcedec8db42 100644
--- a/base/server/src/main/java/com/netscape/cmscore/apps/CMSEngine.java
+++ b/base/server/src/main/java/com/netscape/cmscore/apps/CMSEngine.java
@@ -50,6 +50,7 @@
 import org.mozilla.jss.crypto.SignatureAlgorithm;
 import org.mozilla.jss.netscape.security.util.Cert;
 import org.mozilla.jss.netscape.security.x509.X509CertImpl;
+import org.mozilla.jss.ssl.SSLCertificateApprovalCallback;
 
 import com.netscape.certsrv.authentication.ISharedToken;
 import com.netscape.certsrv.base.EBaseException;
@@ -151,6 +152,8 @@ public class CMSEngine implements ServletContextListener {
     protected LogSubsystem logSubsystem = LogSubsystem.getInstance();
     protected JssSubsystem jssSubsystem = JssSubsystem.getInstance();
     protected DBSubsystem dbSubsystem = new DBSubsystem();
+    protected SSLCertificateApprovalCallback approvalCallback;
+
 
 
     protected RequestRepository requestRepository;
@@ -301,6 +304,14 @@ public void registerPendingListener(String name, IRequestListener listener) {
         pendingNotifier.registerListener(name, listener);
     }
 
+    public SSLCertificateApprovalCallback getApprovalCallback() {
+        return approvalCallback;
+    }
+
+    public void setApprovalCallback(SSLCertificateApprovalCallback approvalCallback) {
+        this.approvalCallback = approvalCallback;
+    }
+
     public void loadConfig(String path) throws Exception {
         ConfigStorage storage = new FileConfigStore(path);
         config = createConfig(storage);
diff --git a/base/server/src/main/java/com/netscape/cmscore/ldapconn/PKISocketFactory.java b/base/server/src/main/java/com/netscape/cmscore/ldapconn/PKISocketFactory.java
index 25e35b569df..f9879bd6821 100644
--- a/base/server/src/main/java/com/netscape/cmscore/ldapconn/PKISocketFactory.java
+++ b/base/server/src/main/java/com/netscape/cmscore/ldapconn/PKISocketFactory.java
@@ -151,7 +151,7 @@ public SSLSocket makeSSLSocket(String host, int port) throws UnknownHostExceptio
         SSLSocket s;
 
         if (mClientAuthCertNickname == null) {
-            s = new SSLSocket(host, port, null, 0, CMS.getApprovalCallback(), null);
+            s = new SSLSocket(host, port, null, 0, CMS.getCMSEngine().getApprovalCallback(), null);
 
         } else {
             // Let's create a selection callback in the case the client auth
@@ -161,7 +161,7 @@ public SSLSocket makeSSLSocket(String host, int port) throws UnknownHostExceptio
 
             Socket js = new Socket(InetAddress.getByName(host), port);
             s = new SSLSocket(js, host,
-                    CMS.getApprovalCallback(),
+                    CMS.getCMSEngine().getApprovalCallback(),
                     new SSLClientCertificateSelectionCB(mClientAuthCertNickname));
         }