Certificate Revocation
Focus
Focus
Next-Generation Firewall

Certificate Revocation

Table of Contents

Certificate Revocation

Certificate revocation invalidates X.509 certificates before their set expiration, often due to a compromised key.
Next-Generation Firewalls (NGFWs) and Panorama use digital certificates to establish trust between parties during a secure communication session. A digital certificate verifies the identity of the entity to which it was issued. When issued, X.509 certificates are assigned a validity period—a specific start date and inclusive expiration date. Certificates are considered valid and can secure communications during this period. However, certificates can become invalid before its expiration date for several reasons:
  • Compromise of a private key (known or suspected)
  • A change of name
  • The operation of the service belonging to the certificate was discontinued (for example, because there is a new service under a different name)
  • Change of association between subject and certificate authority (for example, an employee terminates employment)
Under these circumstances, the certificate authority (CA) that issued the certificate must revoke it. Certificate revocation is the process of invalidating a certificate before it expires. A revoked certificate is no longer trustworthy and can’t be used to establish secure connections.
When a certificate is part of a chain, the NGFW or Panorama checks the validity of every certificate in that chain, except for the root CA certificate. This process, known as certificate revocation checking, prevents potential security breaches and protects users from untrustworthy websites or services. Some web browsers perform this check and, if a website's certificate is revoked, might display a warning or refuse the connection.
The NGFW and Panorama support two methods for verifying certificate revocation status:
  • Certificate Revocation List (CRL)—A CRL is a list of certificates, identified by serial number, that have been issued and subsequently revoked by a CA. CAs typically publish CRLs periodically or immediately after a certificate has been revoked.
  • Online Certificate Status Protocol (OCSP)—OCSP is an Internet Protocol that enables clients, like a firewall or web browser, to obtain the revocation status of an X.509 certificate in real time. The protocol governs the communication between an OCSP client, which requests the revocation status, and an OCSP responder, which provides it.
    If your enterprise has its own public key infrastructure (PKI), you can configure an NGFW to function as the OCSP responder.
    Proxy Server Support: OCSP works with network deployments that include a web proxy. To route OCSP requests and responses through a proxy server, configure the HTTP proxy for OCSP verification.
Certificate revocation checking must be enabled. If you configure both methods, the NGFW or Panorama first tries the OCSP method. If the OCSP server is unavailable, it uses the CRL method.
Configure the NGFW or Panorama to verify the revocation status of certificates that it uses for device or user authentication and SSL/TLS decryption.