An overview of OCSP, a protocol used to check certificate
Palo Alto Networks firewalls can use the Online Certificate
Status Protocol (OCSP) to check the revocation status of X.509
digital certificates (SSL/TLS certificates). The advantages of using
OCSP instead of or in addition to certificate revocation
lists (CRLs) are real-time certificate status responses and
usage of fewer network and client resources.
After you enable certificate verification using OCSP, the
firewall verifies the status of a certificate when establishing an SSL/TLS session.
First, an authenticating client (firewall) sends an OCSP request to an OCSP responder
(server). The request includes the serial number of the target certificate. Next, the
OCSP responder uses the serial number to search the database of the CA that issued the
certificate for its revocation status. Then, the OCSP responder returns the certificate
) to the client. The firewall drops sessions
with revoked certificates.
If your network deployment consists of a web
proxy, the OCSP request workflow differs. OCSP requests and responses pass through your
proxy server first. The procedure to enable an HTTP proxy for OCSP status checks describes the
workflow in more detail.
Palo Alto Networks firewalls download and cache OCSP responses
for every CA in the trusted CA list of the firewall. The cache includes
OCSP responses for an issuing CA only if the firewall has already
validated a certificate. Caching OCSP responses speeds up the response
time and minimizes OCSP traffic to the responder.
The following applications use certificates to authenticate users
and devices: Authentication Portal, GlobalProtect (remote user-to-site
or large scale), site-to-site IPSec VPN, and web interface access
to Palo Alto Networks firewalls or Panorama. To use OCSP to verify
the revocation status of certificates that authenticate users and devices,
perform the following steps: