Keeping revocation information up to date
As a best practice, configure Content Gateway to check the status of any certificate before accepting it, to ensure that the certificate has not been revoked. There are 2 methods of doing this: through CRLs (see Certificate revocation lists) and through OCSP (see Online certification status protocol).
- CRLs may include information about thousands of certificates, and may therefore take some time to download and process.
- OCSP operates on a request/response basis for individual certificates, which may improve performance, but not all CAs provide OCSP responses.