: Support for OCSP Verification through HTTP Proxy
Focus
Focus

Support for OCSP Verification through HTTP Proxy

Table of Contents

Support for OCSP Verification through HTTP Proxy

HTTP proxy servers can inspect and forward OCSP requests and responses to OCSP responders and authenticating clients.
PAN-OS 11.0 adds support for Online Certificate Status Protocol (OCSP) certificate revocation checks through HTTP/S proxies. If your network deployment consists of a web proxy, you can configure OCSP to validate certificates. All OCSP requests and responses will pass through your proxy server. The benefits of checking certificate status using OCSP instead of or in addition to certificate revocation lists (CRLs) include real-time status responses and reduced usage of network and client resources.
The workflow of OCSP certificate validation through a web proxy is as follows:
  1. An authenticating client (firewall) forwards an OCSP request to the proxy. The request contains the serial number for the certificate the client wants to validate.
  2. The proxy validates the request and identifies the OCSP responder for the certificate authority (CA) that issued the certificate.
  3. The proxy forwards the OCSP request to the responder, and the OCSP responder looks up the revocation status for the certificate in the CA database.
  4. The OCSP responder sends the certificate status (good, revoked, or unknown) to the proxy.
  5. The proxy forwards the certificate status to the client.
The following procedure assumes you have not set up a web proxy.
  1. Configure an HTTP proxy (DeviceSetupServices).
    You can use the following CLI commands to configure a proxy server for OCSP status checks (and CRL downloads).
    • set deviceconfig system secure-proxy-server <value>
    • set deviceconfig system secure-proxy-port <1-65535>
    • set deviceconfig system secure-proxy-user <value>
    • set deviceconfig system secure-proxy-password <value>
  2. Configure an OCSP responder.
    If your enterprise has its own public key infrastructure (PKI), you can configure a firewall as an OCSP responder.
  3. Configure revocation status verification of certificates.