Last Modified: Feb 16, 2021
Opened: Nov 18, 2020
The client SSL or server SSL profile can specify an OCSP object for client or server certificate status validation. After modifying the DNS resolver of the OCSP object, the new nameserver is never picked up. In other words, an incorrect OCSP responder will be contacted.
The incorrect (or the original) OCSP responder is contacted to get the peer certificate revocation status.
OCSP object is configured in Client Certificate Constrained Delegation (C3D) client SSL or in server SSL and is later modified.