Online Certificate Status Protocol (OCSP)
Palo Alto Networks firewalls can use the Online Certificate
Status Protocol (OCSP) to check the
revocation status of X.509
digital certificates (SSL/TLS certificates). The advantages of using
OCSP instead of or in addition to
certificate revocation
lists (CRLs) are real-time certificate status responses and
usage of fewer network and client resources.
After you enable
certificate verification using
OCSP, the firewall verifies the status of a certificate when
establishing an SSL/TLS session. First, an authenticating client
(firewall) sends an OCSP request to an OCSP responder (server).
The request includes the serial number of the target certificate.
Next, the OCSP responder uses the serial number to search the database
of the CA that issued the certificate for its revocation status.
Then, the OCSP responder returns the certificate status (
good,
revoked,
or
unknown) to the client. The firewall
drops sessions with revoked certificates.
Palo Alto Networks firewalls download and cache OCSP responses
for every CA in the trusted CA list of the firewall. The cache includes
OCSP responses for an issuing CA only if the firewall has already
validated a certificate. Caching OCSP responses speeds up the response
time and minimizes OCSP traffic to the responder.
The following applications use certificates to authenticate users
and devices: Authentication Portal, GlobalProtect (remote user-to-site
or large scale), site-to-site IPSec VPN, and web interface access
to Palo Alto Networks firewalls or Panorama. To use OCSP to verify
the revocation status of certificates that authenticate users and
devices, perform the following steps:
Enable HTTP OCSP service on the firewall (if you configure
the firewall as an OCSP responder).
Create or obtain a certificate for each application.
Configure a certificate profile for each application.
Assign the certificate profile to the relevant application.