Each certificate authority (CA) periodically issues
a certificate revocation list (CRL) to a public repository. The
CRL identifies revoked certificates by serial number. After the
CA revokes a certificate, the next CRL update will include the serial
number of that certificate. The firewall supports CRLs in Distinguished Encoding
Rules (DER) and Privacy Enhanced Mail (PEM) formats.
The Palo Alto Networks firewall downloads and caches the last-issued
CRL for every CA listed in the trusted CA list of the firewall.
Caching only applies to validated certificates; if a firewall never
validated a certificate, the firewall cache does not store the CRL
for the issuing CA. Also, the cache only stores a CRL until it expires.
If you configure multiple CRL distribution points (CDPs) and
the firewall cannot reach the first CDP, the firewall does not check
the remaining CDPs. To redirect invalid CRL requests, configure a DNS proxy as
an alternate server.
To use CRLs for verifying the revocation status of certificates
that authenticate users and devices, configure a certificate profile
and assign it to the interfaces that are specific to the application:
Authentication Portal, GlobalProtect (remote user-to-site or large
scale), site-to-site IPSec VPN, or web interface access to Palo Alto
Networks firewalls or Panorama. For details, see Configure
Revocation Status Verification of Certificates.