Keeping revocation information up to date

Use the Configure > SSL > Validation > Revocation Settings page to configure how Content Gateway keeps revocation information current. By default, Content Gateway downloads CRLs on a daily basis.

For daily downloads of the CRLs, select Download the CRL at, and select the time when the CRL download occurs.

Click Apply.

Use this page as well if you need an immediate CRL update.

Click Update CRL Now to download the CRLs at a time other than that specified.


	Note The CRL files can contain thousands of certifications, so downloading CRLs can take some time and consume CPU resources. It is recommended that you download CRLs at a time when Internet traffic on your system is light.

Click View CRL Update Progress to see the status of the update.

For more information on certificate revocation lists, see RFC 3280.

Online certification status protocol (OCSP)

OCSP is a protocol that operates on a request/response basis. That is, when a site wants to verify the revocation status of a certificate, it sends a request to the CA about the status of the certificate. The CA then responds, confirming the validity (or revocation) of the certificate.

OCSP, because it is dealing with requests, rather than downloading CRLs, can provide improved performance. However, not all CAs provide responses, so CRLs can provide information about the status of more certificates.

Content Gateway enables you to cache OCSP responses about the revocation state of a certificate. Caching responses may be useful in environments with high amounts of SSL traffic and where saving bandwidth is important.

Use Configure > SSL > Validation > Revocation Settings to configure how Content Gateway keeps revocation information current.

Specify, in days, how long OCSP data should be cached. If you do not want to cache OCSP data, enter 0. The maximum is 1000 days

Click Apply.

For more information on OCSP, see RFC 2560.