Resolution:
1)Policy Agent will first try the "CRL distribution points" filled in the cert. This will take precedence

2) In case the agent is not able to connect to CRL distribution points location mentioned in the cert, agent looks for the "Known CRL Locations" configured while Registering the keystore

3)In case there are no "CRL distribution points" in the cert, but "Perform CRL check" option is selected, agent will directly look for the "Known CRL Locations" and pick the link tied to specific CA

There is one more piece. We build a cache of these revocations lists. Once the list is in cache we always check the cache first. So if you have a cert with CRL distribution points setup and that list does not contain this particular cert then sending a test message will succeed and we will add the list for that certs particular CA. Then if revoke this cert and send another test message the message will still succeed because now the agent is using the list from the cache which did not contain this cert. There are two ways to clear the cache and have it rebuild

1. restart the agent
2. when the 'next update' time for that particular CRL has come. You can check this by double clicking your crl file in windows

So the search order is:

1 cache
2 CRL distribution points (if exist)
3 Known CRL Locations (Optional link while registering the certificate in PM)