When establishing an SSL/TLS session, clients can use
Online Certificate Status Protocol (OCSP) to check the revocation
status of the authentication certificate. The authenticating client
sends a request containing the serial number of the certificate
to the OCSP responder (server). The responder searches the database
of the certificate authority (CA) that issued the certificate and
returns a response containing the status (good, revoked or unknown)
to the client. The advantage of the OCSP method is that it can verify
status in real-time, instead of depending on the issue frequency
(hourly, daily, or weekly) of CRLs.
The following applications use certificates to authenticate users
and/or devices: Authentication Portal, GlobalProtect (remote user-to-site
or large scale), site-to-site IPSec VPN, and web interface access
to Palo Alto Networks firewalls or Panorama. To use OCSP for verifying
the revocation status of the certificates: