In the restriction parameters of a realm or a role you can choose certificates and/or host checker policies directed to cert checks, but:
The check for the CRL is not configured there but at the layer system -> configuration -> Certificates -> trusted client CAs
There you define for a specific Certificate Authority (CA) if you want to check the CRL, or to use the OSC-Protocol (OSCP) to check online the validity of a cert, or to do no checks at all about the validity of the cert when a client presents its client cert.
The check to use a crl or not can so far only be decided at this layer but not at the layer of the concrete hc policy itself. This is at least my understanding of the software mechanism in place with Juniper.
The "validation of the private key" is always done with every authentication mechanism using certificates on every "real" product from any vendor. Otherwise it would make no sense. The certificate contains only the public key and is spread "all over the world". When someone presents this cert to gain entrance to some secure area, he must have the private key to solve a cryptographic challenge the guard is presenting to him. So the correct answering of this cryptographic challenge is the "validation of the private key": I - and hopefully only I - have it.
regards, William
