>
    Troubleshoot Revoked Certificates
    Focus
    Download PDF
    Focus
    1. Home
    2. Network Security
    4. Troubleshoot Decryption
    5. Troubleshoot Revoked Certificates
    Download PDF
    Network Security

    Troubleshoot Revoked Certificates

    Table of Contents

    Troubleshoot Revoked Certificates

    Find sites that have revoked certificates so you can make informed decisions about allowed traffic.
    Where Can I Use This?What Do I Need?
    No separate license required for decryption when using NGFWs or Prisma Access.
    Note: The features and capabilities available to you in Strata Cloud Manager depend on your active license(s).
    A revoked certificate is no longer valid. It may indicate that there are security issues with a site and that the certificate is not trustworthy, although there are also benign reasons why a certificate may be revoked.
    Don’t trust revoked certificates; enable certificate revocation checking to deny access to sites with revoked certificates.
    In order to drop sessions with revoked certificates and troubleshoot revoked certificates, you need to enable certificate revocation checking. If you don’t enable certificate revocation checking, the NGFW doesn’t check for revoked certificates and you won’t know if a site has a revoked certificate.

    Troubleshoot Revoked Certificates (Strata Cloud Manager)

    1. Enable certificate revocation checking if you haven’t already.
      1. Select Manage Device Settings Device SetupSetupSessionDecryption Settings.
      2. Enable both OCSP and CRL certificate checking.
        If you Block sessions on certificate status check timeout in the Forward Proxy Decryption profile and are concerned that 5 seconds is not enough time and may result in too many sessions blocked by timeouts, set the Receive Timeout (sec) to a longer amount of time.
    2. Filter the Decryption logs for certificate revocation errors.
      1. Select Incidents and Alerts Log Viewer and select Firewall/Decryption.
      2. In the search field, enter the following query: Error Message = ‘OCSP/CRL check: certificate revoked’
    3. (Optional) Double-check the certificate expiration date at the Qualys SSL Labs site.
      Enter the hostname of the server (Server Name Identification column of the Decryption log) in the Hostname field and Submit it to view certificate information for the host.

    Troubleshoot Revoked Certificates (PAN-OS)

    1. Enable certificate revocation checking if you haven’t already enabled it.
      1. Go to DeviceSetupSessionDecryption Settings.
      2. Enable both OCSP and CRL certificate checking.
        If you Block sessions on certificate status check timeout in the Forward Proxy Decryption profile and are concerned that 5 seconds is not enough time and may result in too many sessions blocked by timeouts, set the Receive Timeout (sec) to a longer amount of time.
    2. Filter the Decryption log (MonitorLogsDecryption) to find certificate revocation errors using the query (error eq ‘OCSP/CRL check: certificate revoked’).
    3. (Optional) Double-check the certificate expiration date at the Qualys SSL Labs site.
      Enter the hostname of the server (Server Name Identification column of the Decryption log) in the Hostname field and Submit it to view certificate information for the host.

    © 2025 Palo Alto Networks, Inc. All rights reserved.