Secure connections (SSL/TLS) : Revoking certificates : Revoking certificates by OCSP query
Revoking certificates by OCSP query
Online certificate status protocol (OCSP) enables you to revoke or validate certificates by query, rather than by importing certificate revocation list (CRL) files. Since distributing and installing CRL files can be a considerable burden in large organizations, and because delay between the release and install of the CRL represents a vulnerability window, this can often be preferable.
To use OCSP queries, you must first install the certificates of trusted OCSP/CRL servers.
To view or upload a remote certificate
1. Go to System > Certificates > Remote.
To access this part of the web UI, your administrator's account access profile must have Read-Write permission to items in the System category. For details, see “Permissions”.
2. To upload a file, click Import.
A dialog appears.
3. If the remote server will present a certificate (for example, if FortiADC is making an HTTPS connection to it), click Browse and select its OCSP-compatible certificate file.
4. In OCSP, type the URL of the OCSP server.
5. Click Import.
6. Select OCSP when configuring a certificate verification rule (see “Configuring FortiADC to validate certificates”).
See also
How to offload HTTPS
Revoking certificates