Online Certificate Status Protocol (OCSP)
Focus
Focus
Next-Generation Firewall

Online Certificate Status Protocol (OCSP)

Table of Contents

Online Certificate Status Protocol (OCSP)

You can verify certificate validity in real-time with the Online Certificate Status Protocol, an efficient alternative to certificate revocation lists.
Palo Alto Networks firewalls can use the Online Certificate Status Protocol (OCSP) to check the revocation status of X.509 digital certificates (SSL/TLS certificates). The advantages of using OCSP instead of or in addition to certificate revocation lists (CRLs) are real-time certificate status responses and usage of fewer network and client resources. Certificate status can be good, revoked, or unknown.
After you enable certificate verification using OCSP, the firewall verifies the status of a certificate when establishing an SSL/TLS session. First, an authenticating client (firewall) sends an status request to an OCSP responder (server). The request includes the serial number of the target certificate. Certificates are not accepted until the responder provides a status response. Next, the OCSP responder uses the serial number to search the database of the CA that issued the certificate for its revocation status. Then, the OCSP responder returns the certificate status to the client. The firewall drops sessions with revoked certificates.
If your network deployment consists of a web proxy, the OCSP request workflow differs. OCSP requests and responses pass through your proxy server first. The procedure to enable an HTTP proxy for OCSP status checks describes the workflow in more detail.
Palo Alto Networks firewalls download and cache OCSP responses for every CA in the trusted CA list of the firewall. The cache includes OCSP responses for an issuing CA only if the firewall has already validated a certificate. Caching OCSP responses speeds up the response time and minimizes OCSP traffic to the responder.
The following applications use certificates to authenticate users and devices: Authentication Portal, GlobalProtect (remote user-to-site or large scale), site-to-site IPSec VPN, and web interface access to Palo Alto Networks firewalls or Panorama. To use OCSP to verify the revocation status of certificates that authenticate users and devices, perform the following steps:
If your firewall functions as an SSL forward proxy, you’ll need to configure decryption certificate revocation settings.
  • Enable HTTP OCSP service on the firewall (if you configure the firewall as an OCSP responder).
  • Create or obtain a certificate for each application.
  • Configure a certificate profile for each application.
  • Assign the certificate profile to the relevant application.
Configure CRL as a fall-back method to cover situations where the OCSP responder is unavailable. For details, see Configure Revocation Status Verification of Certificates.