To use Online Certificate Status Protocol
(OCSP) for verifying the revocation status of certificates, you
must configure the firewall to access an OCSP responder (server).
The entity that manages the OCSP responder can be a third-party
certificate authority (CA). If your enterprise has its own public
key infrastructure (PKI), you can use external OCSP responders or
you can configure the firewall itself as an OCSP responder. For
details on OCSP, see Certificate
Revocation.
Define
an external OCSP responder or configure the firewall itself as an
OCSP responder.
Select
Device
Certificate Management
OCSP Responder
and
click
Add
.
Enter a
Name
to identify the
responder (up to 31 characters). The name is case-sensitive. It
must be unique and use only letters, numbers, spaces, hyphens, and
underscores.
If the firewall has more than one virtual system (vsys),
select a
Location
(vsys or
Shared
)
for the certificate.
In the
Host Name
field, enter
the host name (recommended) or IP address of the OCSP responder.
You can enter an IPv4 or IPv6 address. From this value, PAN-OS automatically
derives a URL and adds it to the certificate being verified.
If you configure the firewall itself as an OCSP responder,
the host name must resolve to an IP address in the interface that
the firewall uses for OCSP services.
Click
OK
.
If you want the firewall to use the management interface
for the OCSP responder interface, enable OCSP communication on the
firewall. Otherwise, continue to the next step to configure an alternate
interface.
Select
Device
Setup
Management
.
In the Management Interface Settings section, edit
to select the