Certificate Revocation
Certificate revocation invalidates X.509 certificates before their set expiration,
often due to a compromised key.
Next-Generation Firewalls (NGFWs) and Panorama use digital certificates to establish
trust between parties during a secure communication session. A digital certificate
verifies the identity of the entity to which it was issued. When issued, X.509
certificates are assigned a validity period—a specific start date and inclusive
expiration date. Certificates are considered valid and can secure communications during
this period. However, certificates can become invalid before its expiration date for
several reasons:
- Compromise of a private key (known or suspected)
- A change of name
- The operation of the service belonging to the certificate was discontinued (for
example, because there is a new service under a different name)
- Change of association between subject and certificate authority (for example, an
employee terminates employment)
Under these circumstances, the certificate authority (CA) that issued the certificate
must revoke it.
Certificate revocation is the process of invalidating a
certificate before it expires. A revoked certificate is no longer trustworthy and can’t
be used to establish secure connections.
When a certificate is part of a chain, the NGFW or Panorama checks the validity of every
certificate in that chain, except for the root CA certificate. This process, known as
certificate revocation checking, prevents potential security breaches and
protects users from untrustworthy websites or services. Some web browsers perform this
check and, if a website's certificate is revoked, might display a warning or refuse the
connection.
The NGFW and Panorama support two methods for verifying certificate revocation
status:
Certificate
Revocation List (CRL)—A CRL is a list of certificates, identified by
serial number, that have been issued and subsequently revoked by a CA. CAs
typically publish CRLs periodically or immediately after a certificate has been
revoked.
Online
Certificate Status Protocol (OCSP)—OCSP is an Internet Protocol that
enables clients, like a firewall or web browser, to obtain the revocation status
of an X.509 certificate in real time. The protocol governs the communication
between an OCSP client, which requests the revocation status, and an OCSP
responder, which provides it.
If your enterprise has its own public key infrastructure
(PKI), you can configure an NGFW to function as the OCSP responder.
Certificate revocation checking must be enabled. If you configure both methods, the NGFW
or Panorama first tries the OCSP method. If the OCSP server is unavailable, it uses the
CRL method.