PAN-OS 11.0 adds support for
Online Certificate Status Protocol (OCSP)
certificate revocation checks through HTTP/S proxies. If your network deployment
consists of a web proxy, you can configure OCSP to validate certificates. All OCSP
requests and responses will pass through your proxy server. The benefits of checking
certificate status using OCSP instead of or in addition to
certificate revocation lists (CRLs)
include real-time status responses and reduced usage of network and client
resources.