Because each CRL you store on the ProxySG appliance requires memory for storage, you should consider using OCSP if you find that you require a large number of CRLs. With OCSP, you do not need to store the CRLs locally on the appliance. Instead, the ProxySG appliance acts as an OCSP and queries a remote OCSP responder on the intranet or Internet each time it needs to verify a certificate. In addition, OCSP provides the most secure means of checking certificate revocation status because the checks are done in real time.
The OCSP responder sends one of the following certificate statuses back to the ProxySG (the OCSP client):
The ProxySG can also cache OCSP responses and has the ability to respect, override or ignore the timestamp related to cache ability in the OCSP response.
For more details on how to use OCSP with the ProxySG, refer to the SGOS Administration Guide.
To enable an OCSP revocation check, configure an OCSP responder profile:
Subscribing will provide email updates when this Article is updated. Login is required.
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
This will clear the history and restart the chat.