Configure an OCSP Responder
Focus
Focus

Configure an OCSP Responder

Table of Contents

Configure an OCSP Responder

To use Online Certificate Status Protocol (OCSP) for verifying the revocation status of certificates, you must configure the firewall to access an OCSP responder (server). The entity that manages the OCSP responder can be a third-party certificate authority (CA). If your enterprise has its own public key infrastructure (PKI), you can use external OCSP responders or you can configure the firewall itself as an OCSP responder. For details on OCSP, see Certificate Revocation.
Configure an OCSP responder Certificate Profile only when you generate a new certificate (
Device
Certificate Management
Certificates
). Specify the
OCSP Responder
when you generate a new certificate so that the firewall populates the Authority Information Access (AIA) field with the appropriate URL and then specify the new certificate in the Certificate Profile. Configuring a Certificate Profile does not override the Certificate Profile for existing certificates or Root CAs.
You can enable OCSP validation or override the AIA field of certificate in the Certificate Profile. The Certificate Profile configuration determines which certificate validation mechanisms are used on certificates that authenticate to services hosted on the firewall, such as GlobalProtect.
  1. Define an external OCSP responder or configure the firewall itself as an OCSP responder.
    1. Select
      Device
      Certificate Management
      OCSP Responder
      and click
      Add
      .
    2. Enter a
      Name
      to identify the responder (up to 31 characters). The name is case-sensitive. It must be unique and use only letters, numbers, spaces, hyphens, and underscores.
    3. If the firewall has more than one virtual system (vsys), select a
      Location
      (vsys or
      Shared
      ) for the certificate.
    4. In the
      Host Name
      field, enter the host name (recommended) or IP address of the OCSP responder. You can enter an IPv4 or IPv6 address. From this value, PAN-OS automatically derives a URL and adds it to the certificate being verified.
      If you configure the firewall itself as an OCSP responder, the host name must resolve to an IP address in the interface that the firewall uses for OCSP services.
    5. Click
      OK
      .
  2. If you want the firewall to use the management interface for the OCSP responder interface, enable OCSP communication on the firewall. Otherwise, continue to the next step to configure an alternate interface.
    1. Select
      Device
      Setup
      Interfaces
      Management
      .
    2. In the Network Services section, select the
      HTTP OCSP
      check box, then click
      OK
      .
  3. To use an alternate interface as the OCSP responder interface, add an Interface Management Profile to the interface used for OCSP services.
    1. Select
      Network
      Network Profiles
      Interface Mgmt
      .
    2. Click
      Add
      to create a new profile or click the name of an existing profile.
    3. Select the
      HTTP OCSP
      check box and click
      OK
      .
    4. Select
      Network
      Interfaces
      and click the name of the interface that the firewall will use for OCSP services. The OCSP
      Host Name
      specified in Step 1 must resolve to an IP address in this interface.
    5. Select
      Advanced
      Other info
      and select the Interface Management Profile you configured.
    6. Click
      OK
      and
      Commit
      .

Recommended For You