The ProxySG appliance acts as an OCSP and queries a remote OCSP responder on the intranet or Internet each time it needs to verify a certificate. In addition, OCSP provides the most secure means of checking certificate revocation status because the checks are done in real time.

The OCSP responder sends one of the following certificate statuses back to the ProxySG (the OCSP client):

• Good—The certificate is not revoked and valid at the time of the query.
• Revoked—The certificate has been revoked either permanently or temporarily.
• Unknown—The responder does not know the revocation status of the certificate.