Exam NSE8_812 topic 1 question 49 discussion

https://help.fortinet.com/fadc/4-4-0/cli/Content/FortiADC/cli-ref/config_system_certificate_crl.htm Online certificate status protocol (OCSP) is an alternative to CRL. OCSP is useful when you do not want to deploy CRL files, for example, or want to avoid the public exposure of your PKI structure even if it is only invalid certificates. https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-enable-OCSP-and-OSCP-responder-errors/ta-p/198293 Certificate Revocation Lists are cached lists that contain the validity of certificates. There can be a change in the validity of the certificate, however, the cached CRL would not have that information. OCSP avoids that problem by sending on-demand requests to an OCSP server to confirm a certificate’s validity.

I vote for A and B. A is correct because of the ocsp-default-server setting and because the CA for the configured peer is also the FortiAuthenticator. Otherwise it would not be correct because we have "ocsp-option certificate". B is also correct because you can configure CRL and OCSP checking independently. C is tricky, but probably not correct, because I found a bug in FortiOS with the following description "534346 WAD memory leak on OCSP certificate caching", which means that there is some OCSP caching. D is not correct because of the setting "set strict-ocsp-check enable".

i vote for AB

A. OCSP checks will always go to the configured FortiAuthenticator: This statement is true. The configuration specifies "Set ocsp-default-server Fortiauthenticator," which means that OCSP checks will always be directed to the configured FortiAuthenticator server for certificate status verification.

B and D Are Correct Certificate Revocation Lists (CRLs) | FortiGate / FortiOS 7.2.0 - Fortinet Document Library Online Certificate Status Protocol (OCSP) | FortiGate / FortiOS 7.2.0 - Fortinet Document Library