After you enable
certificate verification using OCSP, the
firewall verifies the status of a certificate when establishing an SSL/TLS session.
First, an authenticating client (firewall) sends an OCSP request to an OCSP responder
(server). The request includes the serial number of the target certificate. Next, the
OCSP responder uses the serial number to search the database of the CA that issued the
certificate for its revocation status. Then, the OCSP responder returns the certificate
status (
good
,
revoked
, or
unknown
) to the client. The firewall drops sessions
with revoked certificates.