Online Certificate Status Protocol (OCSP)
You can verify certificate validity in real-time with the Online Certificate Status
Protocol, an efficient alternative to certificate revocation lists.
Palo Alto Networks firewalls can use the Online Certificate Status Protocol (OCSP) to
check the
revocation status of X.509 digital
certificates (SSL/TLS certificates). The advantages of using OCSP instead of or in
addition to
certificate revocation lists
(CRLs) are real-time certificate status responses and usage of fewer network
and client resources. Certificate status can be
good,
revoked, or
unknown.
After you enable
certificate verification using OCSP, the
firewall verifies the status of a certificate when establishing an SSL/TLS session.
First, an authenticating client (firewall) sends an status request to an OCSP responder
(server). The request includes the serial number of the target certificate. Certificates
are not accepted until the responder provides a status response. Next, the OCSP
responder uses the serial number to search the database of the CA that issued the
certificate for its revocation status. Then, the OCSP responder returns the certificate
status to the client. The firewall drops sessions with revoked certificates.
If your network deployment consists of a web
proxy, the OCSP request workflow differs. OCSP requests and responses pass through your
proxy server first. The procedure to
enable an HTTP proxy for OCSP status checks describes the
workflow in more detail.
Palo Alto Networks firewalls download and cache OCSP responses for every CA in the
trusted CA list of the firewall. The cache includes OCSP responses for an issuing CA
only if the firewall has already validated a certificate. Caching OCSP responses speeds
up the response time and minimizes OCSP traffic to the responder.
The following applications use certificates to authenticate users and devices:
Authentication Portal, GlobalProtect (remote user-to-site or large scale), site-to-site
IPSec VPN, and web interface access to Palo Alto Networks firewalls or Panorama. To use
OCSP to verify the revocation status of certificates that authenticate users and
devices, perform the following steps:
Enable HTTP OCSP service on the firewall (if you configure the firewall as an
OCSP responder).
Create or obtain a certificate for each application.
Configure a certificate profile for each application.
Assign the certificate profile to the relevant application.