To verify the revocation status of certificates, the
firewall uses Online Certificate Status Protocol (OCSP) and/or certificate
revocation lists (CRLs). For details on these methods, see
Certificate
Revocation If you configure both methods, the firewall first
tries OCSP and only falls back to the CRL method if the OCSP responder
is unavailable. If your enterprise has its own public key infrastructure
(PKI), you can configure the firewall to function as the OCSP responder.
The following topics describe how to configure the firewall to
verify certificate revocation status: