Documentation | Support

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Working With Encrypted Data > Keeping revocation information up to date
Keeping revocation information up to date
Help | Content Gateway | v8.5.x
As a best practice, configure Content Gateway to check the status of any certificate before accepting it, to ensure that the certificate has not been revoked. There are 2 methods of doing this: through CRLs (see Certificate revocation lists) and through OCSP (see Online certification status protocol).
*
CRLs may include information about thousands of certificates, and may therefore take some time to download and process.
*
OCSP operates on a request/response basis for individual certificates, which may improve performance, but not all CAs provide OCSP responses.
Certificate revocation lists
Use the Configure > SSL > Validation > Revocation Settings tab to configure how Content Gateway keeps revocation information current, and to perform an immediate CRL update when needed.
By default, Content Gateway performs CRL downloads on a daily basis.
To configure a time for daily CRL downloads:
1.
Select Download the CRL at, then select a time.
2.
Click Apply.
To perform an immediate CRL update:
1.
Click Update CRL Now to initiate the CRL download.
 
* 
Note 
Downloading CRL files can take some time and consume CPU resources. Download CRL updates at a time when Internet traffic on your system is light.
2.
Because the update process may take some time, click View CRL Update Progress to see the status of the update.
For more information about certificate revocation lists, see RFC 3280.
Online certification status protocol
With OCSP, when a site wants to verify the revocation status of a certificate, it sends a request to the CA about the status of the certificate. The CA then responds, confirming the validity (or revocation) of the certificate.
Because not all CAs provide responses, CRLs can provide information about the status of more certificates.
Content Gateway enables you to cache OCSP responses about the revocation state of a certificate. Caching responses may be useful in environments with high amounts of SSL traffic and where saving bandwidth is important.
Use the Configure > SSL > Validation > Revocation Settings tab to configure how Content Gateway keeps revocation information current.
1.
Specify, in days, how long OCSP data should be cached. If you do not want to cache OCSP data, enter 0. The maximum is 1000 days.
2.
Click Apply.
For more information about OCSP, see RFC 2560.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Working With Encrypted Data > Keeping revocation information up to date
Copyright 2023 Forcepoint. All rights reserved.