To use Online Certificate Status Protocol
(OCSP) for verifying the revocation status of certificates, you
must configure the firewall to access an OCSP responder (server).
The entity that manages the OCSP responder can be a third-party
certificate authority (CA). If your enterprise has its own public
key infrastructure (PKI), you can use external OCSP responders or
you can configure the firewall itself as an OCSP responder. For
details on OCSP, see
Certificate
Revocation.