Decryption Settings: Certificate Revocation Checking

Select Session, and in Decryption Settings, select Certificate Revocation Checking to set the parameters described in the following table.
Session Features: Certificate Revocation Checking Settings
Description
Enable: CRL
Select this option to use the certificate revocation list (CRL) method to verify the revocation status of certificates.
If you also enable Online Certificate Status Protocol (OCSP), the firewall first tries OCSP; if the OCSP server is unavailable, the firewall then tries the CRL method.
For more information on decryption certificates, see Keys and Certificates for Decryption.
Receive Timeout: CRL
If you enabled the CRL method for verifying certificate revocation status, specify the interval in seconds (1 to 60; default is 5) after which the firewall stops waiting for a response from the CRL service.
Enable: OCSP
Select this option to use OCSP to verify the revocation status of certificates.
Receive Timeout: OCSP
If you enabled the OCSP method for verifying certificate revocation status, specify the interval in seconds (1 to 60; default is 5) after which the firewall stops waiting for a response from the OCSP responder.
Block Session With Unknown Certificate Status
Select this option to block SSL/TLS sessions when the OCSP or CRL service returns a certificate revocation status of unknown. Otherwise, the firewall proceeds with the session.
Block Session On Certificate Status Check Timeout
Select this option to block SSL/TLS sessions after the firewall registers a CRL or OCSP request timeout. Otherwise, the firewall proceeds with the session.
Certificate Status Timeout
Specify the interval in seconds (1 to 60; default is 5) after which the firewall stops waiting for a response from any certificate status service and applies any session blocking logic you optionally define. The Certificate Status Timeout relates to the OCSP/CRL Receive Timeout as follows:
  • If you enable both OCSP and CRL—The firewall registers a request timeout after the lesser of two intervals passes: the Certificate Status Timeout value or the aggregate of the two Receive Timeout values.
  • If you enable only OCSP—The firewall registers a request timeout after the lesser of two intervals passes: the Certificate Status Timeout value or the OCSP Receive Timeout value.
  • If you enable only CRL—The firewall registers a request timeout after the lesser of two intervals passes: the Certificate Status Timeout value or the CRL Receive Timeout value.

Related Documentation