Focus

Next-Generation Firewall

Certificate Revocation List (CRL)

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Networking
Quick Start
Reference
Incidents & Alerts
Release Notes
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
Help
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1

Certificate Revocation

Online Certificate Status Protocol (OCSP)

Certificate Revocation List (CRL)

You can check the validity of certificates with a certificate revocation list (CRL). These lists record certificates that have been revoked by the issuing certificate authority.

Each certificate authority (CA) periodically issues a certificate revocation list (CRL) to a public repository. The CRL is a time-stamped list that identifies revoked certificates by their serial numbers. After the CA revokes a certificate, the next CRL update includes that certificate's serial number. The firewall supports CRLs in Distinguished Encoding Rules (DER) and Privacy Enhanced Mail (PEM) formats.

Browsers, applications, and other parties that rely on certificates for authentication purposes, not only check both the certificate's signature and validity, but also retrieve a recent CRL to confirm that a certificate's serial number is not listed. Palo Alto Networks firewall downloads and caches the last-issued CRL for every CA listed in the trusted CA list of the firewall. Caching only applies to validated certificates; if a firewall never validated a certificate, the firewall cache does not store the CRL for the issuing CA. Also, the cache only stores a CRL until it expires.

If you configure multiple CRL distribution points (CDPs) and the firewall cannot reach the first CDP, the firewall does not check the remaining CDPs. To redirect invalid CRL requests, configure a DNS proxy as an alternate server.

An advantage of the CRL revocation method is that CRLs can be distributed through the same channels as certificates themselves, through untrusted servers and untrusted communications. One limitation is the period nature of updates. There's a chance that a client could download a CRL before it's updated, missing recent revocations.

To use CRLs for verifying the revocation status of certificates that authenticate users and devices, configure a certificate profile and assign it to the interfaces that are specific to the application: Authentication Portal, GlobalProtect (remote user-to-site or large scale), site-to-site IPSec VPN, or web interface access to Palo Alto Networks firewalls or Panorama. For details, see Configure Revocation Status Verification of Certificates.

To use CRLs for verifying the revocation status of certificates used for the decryption of inbound and outbound SSL/TLS traffic, see Configure Revocation Status Verification of Certificates Used for SSL/TLS Decryption.

An alternative to CRL is the Online Certificate Status Protocol (OCSP), which provides real-time certificate status.

Certificate Revocation

Online Certificate Status Protocol (OCSP)

Next-Generation Firewall Docs

Certificate Revocation List (CRL)

Next-Generation Firewall Docs

Certificate Revocation List (CRL)

Activation and Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

FedRAMP

Hardware Reference

Hardware Quick Start Guides

Virtual ION Deployment

3rd Party Integrations

Best Practices

Experts Corner