Online Certificate Status Protocol (OCSP)
Focus
Focus

Online Certificate Status Protocol (OCSP)

Table of Contents
End-of-Life (EoL)

Online Certificate Status Protocol (OCSP)

An overview of OCSP, a protocol used to check certificate revocation status
Palo Alto Networks firewalls can use the Online Certificate Status Protocol (OCSP) to check the revocation status of X.509 digital certificates (SSL/TLS certificates). The advantages of using OCSP instead of or in addition to certificate revocation lists (CRLs) are real-time certificate status responses and usage of fewer network and client resources.
After you enable certificate verification using OCSP, the firewall verifies the status of a certificate when establishing an SSL/TLS session. First, an authenticating client (firewall) sends an OCSP request to an OCSP responder (server). The request includes the serial number of the target certificate. Next, the OCSP responder uses the serial number to search the database of the CA that issued the certificate for its revocation status. Then, the OCSP responder returns the certificate status (good, revoked, or unknown) to the client. The firewall drops sessions with revoked certificates.
If your network deployment consists of a web proxy, the OCSP request workflow differs. OCSP requests and responses pass through your proxy server first. The procedure to enable an HTTP proxy for OCSP status checks describes the workflow in more detail.
Palo Alto Networks firewalls download and cache OCSP responses for every CA in the trusted CA list of the firewall. The cache includes OCSP responses for an issuing CA only if the firewall has already validated a certificate. Caching OCSP responses speeds up the response time and minimizes OCSP traffic to the responder.
The following applications use certificates to authenticate users and devices: Authentication Portal, GlobalProtect (remote user-to-site or large scale), site-to-site IPSec VPN, and web interface access to Palo Alto Networks firewalls or Panorama. To use OCSP to verify the revocation status of certificates that authenticate users and devices, perform the following steps:
If your firewall functions as an SSL forward proxy, you’ll need to configure decryption certificate revocation settings.
  • Enable HTTP OCSP service on the firewall (if you configure the firewall as an OCSP responder).
  • Create or obtain a certificate for each application.
  • Configure a certificate profile for each application.
  • Assign the certificate profile to the relevant application.
Configure CRL as a fall-back method to cover situations where the OCSP responder is unavailable. For details, see Configure Revocation Status Verification of Certificates.