Certificate profiles define user and device
authentication for Authentication Portal, multi-factor authentication (MFA),
GlobalProtect, site-to-site IPSec VPN, external dynamic list (EDL)
validation, Dynamic DNS (DDNS), User-ID agent and TS agent access,
and web interface access to Palo Alto Networks firewalls or Panorama.
The profiles specify which certificates to use, how to verify certificate
revocation status, and how that status constrains access. Configure
a certificate profile for each application.
It
is a best practice to enable Online Certificate Status Protocol
(OCSP) and Certificate Revocation List (CRL) status verification
for certificate profiles to verify that the certificate hasn’t been
revoked. Enable both OCSP and CRL so that if the OCSP server isn’t
available, the firewall uses CRL. For details on these methods,
see
Certificate
Revocation.