Find sites that have revoked certificates so you can
make informed decisions about allowed traffic.
A revoked certificate is no longer valid.
It may indicate that there are security issues with a site and that
the certificate is not trustworthy, although there are also benign
reasons why a certificate may be revoked.
trust revoked certificates; enable certificate revocation checking
to deny access to sites with revoked certificates.
order to drop sessions with revoked certificates and troubleshoot
revoked certificates, you need to enable certificate revocation
checking. If you don’t enable certificate revocation checking,
the firewall doesn’t check for revoked certificates and you won’t
know if a site has a revoked certificate.
Enable certificate revocation checking if you
haven’t already enabled it.
Enable both OCSP and CRL certificate checking.
sessions on certificate status check timeout
Forward Proxy Decryption profile and are concerned that 5 seconds
is not enough time and may result in too many sessions blocked by
timeouts, set the
Receive Timeout (sec)
a longer amount of time.
Filter the Decryption log (
to find certificate revocation errors using the query
(error eq ‘OCSP/CRL check: certificate revoked’)
) Double-check the certificate expiration
date at the Qualys SSL Labs site.