An administrator has configured a FortiGate device to authenticate SSL VPN users using dogotal certificates. A FortiAuthenticator is the certificate authority (CA) and the Online Certificate Status Protocol (OCSP) server.
Part of the FortiGate configuration is shown below:
Based on this configuration, which two statements are true? (Choose two.)
OCSP checks will always go to the configured FortiAuthenticator as specified by the 'set ocsp-default-server 'FortiAuthenticator'' setting. Additionally, the configuration allows for the OCSP check of the certificate to be combined with a certificate revocation list, as the settings permit CRL and OCSP checking to be configured independently. Options C and D are incorrect. OCSP certificate responses can be cached, contradicting option C. Option D is also incorrect because with 'strict-ocsp-check enable' configured, if the OCSP server is unreachable, authentication will not succeed even if the certificate matches the CA.
i vote for AB
correction: AC C- Certificate Revocation Lists are cached lists that contain the validity of certificates. There can be a change in the validity of the certificate, however, the cached CRL would not have that information. OCSP avoids that problem by sending on-demand requests to an OCSP server to confirm a certificate’s validity. https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-enable-OCSP-and-OSCP-responder-errors/ta-p/198293
reviewing the question for the third time >> such a stupid misleading question
B and D Are Correct Certificate Revocation Lists (CRLs) | FortiGate / FortiOS 7.2.0 - Fortinet Document Library Online Certificate Status Protocol (OCSP) | FortiGate / FortiOS 7.2.0 - Fortinet Document Library
How is could be D correct when you have strict-ocsp-check ?
A. OCSP checks will always go to the configured FortiAuthenticator: This statement is true. The configuration specifies "Set ocsp-default-server Fortiauthenticator," which means that OCSP checks will always be directed to the configured FortiAuthenticator server for certificate status verification.
I vote for A and B. A is correct because of the ocsp-default-server setting and because the CA for the configured peer is also the FortiAuthenticator. Otherwise it would not be correct because we have "ocsp-option certificate". B is also correct because you can configure CRL and OCSP checking independently. C is tricky, but probably not correct, because I found a bug in FortiOS with the following description "534346 WAD memory leak on OCSP certificate caching", which means that there is some OCSP caching. D is not correct because of the setting "set strict-ocsp-check enable".