When establishing an SSL/TLS session, clients can use
Online Certificate Status Protocol (OCSP) to check the revocation status
of the authentication certificate. The authenticating client sends
a request containing the serial number of the certificate to the
OCSP responder (server). The responder searches the database of
the certificate authority (CA) that issued the certificate and returns
a response containing the status (good, revoked or unknown) to the
client. The advantage of the OCSP method is that it can verify status
in real-time, instead of depending on the issue frequency (hourly,
daily, or weekly) of CRLs.
The following applications use certificates to authenticate users
and/or devices: Captive Portal, GlobalProtect (remote user-to-site
or large scale), site-to-site IPSec VPN, and web interface access
to Palo Alto Networks firewalls or Panorama. To use OCSP for verifying
the revocation status of the certificates: