Certificate Revocation List (CRL)
You can check the validity of certificates with a certificate revocation list (CRL).
These lists record certificates that have been revoked by the issuing certificate
authority.
Each certificate authority (CA) periodically issues a certificate revocation list (CRL)
to a public repository. The CRL is a time-stamped list that identifies revoked
certificates by their serial numbers. After the CA revokes a certificate, the next CRL
update includes that certificate's serial number. The firewall supports CRLs in
Distinguished Encoding Rules (DER) and Privacy Enhanced Mail (PEM) formats.
Browsers, applications, and other parties that rely on certificates for authentication
purposes, not only check both the certificate's signature and validity, but also
retrieve a recent CRL to confirm that a certificate's serial number is not listed. Palo
Alto Networks firewall downloads and caches the last-issued CRL for every CA listed in
the trusted CA list of the firewall. Caching only applies to validated certificates; if
a firewall never validated a certificate, the firewall cache does not store the CRL for
the issuing CA. Also, the cache only stores a CRL until it expires.
If you configure multiple CRL distribution points (CDPs) and the firewall cannot reach
the first CDP, the firewall does not check the remaining CDPs. To redirect invalid CRL
requests,
configure a DNS proxy as an alternate server.
An advantage of the CRL revocation method is that CRLs can be distributed through the
same channels as certificates themselves, through untrusted servers and untrusted
communications. One limitation is the period nature of updates. There's a chance that a
client could download a CRL before it's updated, missing recent revocations.
To use CRLs for verifying the revocation status of certificates that authenticate users
and devices, configure a certificate profile and assign it to the interfaces that are
specific to the application: Authentication Portal, GlobalProtect (remote user-to-site
or large scale), site-to-site IPSec VPN, or web interface access to Palo Alto Networks
firewalls or Panorama. For details, see
Configure Revocation
Status Verification of Certificates.