To use Online Certificate Status Protocol
(OCSP) for verifying the revocation status of certificates, you
must configure the firewall to access an OCSP responder (server).
The entity that manages the OCSP responder can be a third-party
certificate authority (CA). If your enterprise has its own public
key infrastructure (PKI), you can use external OCSP responders or
you can configure the firewall itself as an OCSP responder. For
details on OCSP, see
Certificate
Revocation.
Configure an OCSP responder
Certificate Profile only
when you generate a new certificate (). Specify
the
OCSP Responder when you generate a new
certificate so that the firewall populates the Authority Information
Access (AIA) field with the appropriate URL and then specify the
new certificate in the Certificate Profile. Configuring a Certificate
Profile does not override the Certificate Profile for existing certificates
or Root CAs.
You can enable OCSP validation or
override the AIA field of certificate in the
Certificate Profile. The
Certificate Profile configuration determines which certificate validation
mechanisms are used on certificates that authenticate to services
hosted on the firewall, such as GlobalProtect.