Which three statements about PKI on Cisco IOS Software are true? (Choose three.)
A. OCSP is well-suited for enterprise PKIs in which CRLs expire frequently.
B. The match certificate and allow expired-certificate commands are ignored unless the router clock is set.
C. If a certificate-based ACL specifies more than one field, any one successful field-to-value fest is treated as a match.
D. OCSP enables a PKI to use a CRL without time limitations.
E. Certificate-based ACLs can be configured to allow expired certificates if the peer is otherwise valid.
F. Different OCSP servers can be configured for different groups of client certificates .
OCSP also allows the network administrator the flexibility to specify multiple OCSP servers, either per client certificate or per group of client certificates.
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/xe-3s/sec-pki-xe-3s-book/sec-cfg-auth-rev-cert.html#GUID-2F09BB5F-42D2-4B33-90A9-2C64718B8C89