Configure your web proxy to send and receive OCSP requests and status
responses.
If your network deployment consists of a web proxy, you can configure
Online Certificate Status Protocol (OCSP)
to validate certificates. All OCSP requests and responses will pass through your
proxy server. The benefits of checking certificate status using OCSP instead of or
in addition to
certificate revocation lists (CRLs)
include real-time status responses and reduced usage of network and client
resources.
The workflow of OCSP certificate validation through a web proxy is as follows:
- An authenticating client (firewall) forwards an OCSP request to the proxy. The
request contains the serial number for the certificate the client wants to
validate.
- The proxy validates the request and identifies the OCSP responder for the
certificate authority (CA) that issued the certificate.
- The proxy forwards the OCSP request to the responder, and the OCSP responder
looks up the revocation status for the certificate in the CA database.
- The OCSP responder sends the certificate status
(good, revoked, or
unknown) to the proxy.
- The proxy forwards the certificate status to the client.
The following procedure assumes you have not set up a web
proxy.