Troubleshoot Revoked Certificates

Find sites that have revoked certificates so you can make informed decisions about allowed traffic.
A revoked certificate is no longer valid. It may indicate that there are security issues with a site and that the certificate is not trustworthy, although there are also benign reasons why a certificate may be revoked.
Don’t trust revoked certificates; enable certificate revocation checking to deny access to sites with revoked certificates.
In order to drop sessions with revoked certificates and troubleshoot revoked certificates, you need to enable certificate revocation checking. If you don’t enable certificate revocation checking, the firewall doesn’t check for revoked certificates and you won’t know if a site has a revoked certificate.
  1. Enable certificate revocation checking if you haven’t already enabled it.
    1. Go to
      Device
      Setup
      Session
      Decryption Settings
      .
    2. Enable both OCSP and CRL certificate checking.
      cert-rev-checking-t-shooting.png
      If you
      Block sessions on certificate status check timeout
      in the Forward Proxy Decryption profile and are concerned that 5 seconds is not enough time and may result in too many sessions blocked by timeouts, set the
      Receive Timeout (sec)
      to a longer amount of time.
  2. Filter the Decryption log (
    Monitor
    Logs
    Decryption
    ) to find certificate revocation errors using the query
    (error eq ‘OCSP/CRL check: certificate revoked’)
    .
    error-eq-ocsp-crl-check-cert-revoked.png
  3. (
    Optional
    ) Double-check the certificate expiration date at the Qualys SSL Labs site.
    Enter the hostname of the server (
    Server Name Identification
    column of the Decryption log) in the
    Hostname
    field and
    Submit
    it to view certificate information for the host.

Recommended For You