Block sessions on certificate status check timeout—Whether
to block sessions if the status check times out depends on your
company’s security compliance stance because it’s a tradeoff between
tighter security and a better user experience. Certificate status
verification examines the Certificate Revocation List (CRL) on a
revocation server or uses Online Certificate Status Protocol (OCSP)
to find out if the issuing CA has revoked the certificate and the certificate
should not be trusted. However, revocation servers can be slow to
respond, which can cause the session to timeout and the firewall
to block the session even though the certificate may be valid. If
you
Block sessions on certificate status check timeout and
the revocation server is slow to respond, you can use and click
Certificate
Revocation Checking to change the default timeout value
of five seconds to another value. For example, you could increase
the timeout value to eight seconds, as shown in the following figure.
Enable both CRL and OCSP
certificate revocation checking because
server certificates can contain the CRL URL in the CRL Distribution
Point (CDP) extension or the OCSP URL in the Authority Information
Access (AIA) certificate extension.