Block sessions on certificate status check timeout—Whether
to block sessions if the status check times out depends on your
company’s security compliance stance because it’s a tradeoff between tighter
security and a better user experience. Certificate status verification examines
the Certificate Revocation List (CRL) on a revocation server or
uses Online Certificate Status Protocol (OCSP) to find out if the
issuing CA has revoked the certificate and the certificate should
not be trusted. However, revocation servers can be slow to respond,
which can cause the session to timeout and the firewall to block
the session even though the certificate may be valid. If you
Block
sessions on certificate status check timeout and the
revocation server is slow to respond, you can use and click
Certificate
Revocation Checking to change the default timeout value
of five seconds to another value. For example, you could increase
the timeout value to eight seconds, as shown in the following figure.
Enable both CRL and OCSP
certificate revocation checking because
server certificates can contain the CRL URL in the CRL Distribution
Point (CDP) extension or the OCSP URL in the Authority Information
Access (AIA) certificate extension.