Device > Certificate Management > OCSP Responder
to define an Online Certificate Status Protocol (OCSP) responder (server) to verify the revocation status of certificates.
Besides adding an OCSP responder, enabling OCSP requires the following tasks:
Enable communication between the firewall and the OCSP server. Select
Device > Setup > Management, select
in Management Interface Settings, and then click
If the firewall will decrypt outbound SSL/TLS traffic, optionally configure it to verify the revocation status of destination server certificates. Select
Device > Setup > Sessions, click
Decryption Certificate Revocation Settings, select
in the OCSP settings, enter the
(the interval after which the firewall stops waiting for an OCSP response), and then click
Optionally, to configure the firewall as an OCSP responder, add an Interface Management profile to the interface used for OCSP services. First, select
Network > Network Profiles > Interface Mgmt, click
HTTP OCSP, and then click
OK. Second, select
Network > Interfaces, click the name of the interface that the firewall will use for OCSP services, select
Advanced > Other info, select the Interface Management profile you configured, and then click
OCSP Responder Setting
Enter a name to identify the responder (up to 31 characters). The name is case-sensitive. It must be unique and use only letters, numbers, spaces, hyphens, and underscores.
Select the scope in which the responder is available. In the context of a firewall that has more than one virtual system (vsys), select a vsys or select
(all virtual systems). In any other context, you can’t select the
; its value is predefined as Shared. After you save the responder, you can’t change its
Enter the host name (recommended) or IP address of the OCSP responder. From this value, PAN-OS automatically derives a URL and adds it to the certificate being verified. If you configure the firewall as an OCSP responder, the host name must resolve to an IP address in the interface that the firewall uses for OCSP services.
Configure a Certificate Profile Certificate profiles define user and device authentication for Captive Portal, GlobalProtect, site-to-site IPSec VPN, Mobile Security Manager, and web interface access ...
Revoke and Renew Certificates
Revoke and Renew Certificates Revoke a Certificate Renew a Certificate Revoke a Certificate Various circumstances can invalidate a certificate before the expiration date. Some examples ...
Obtain a Certificate from an External CA
Obtain a Certificate from an External CA The advantage of obtaining a certificate from an external certificate authority (CA) is that the private key does ...
Certificate Revocation Palo Alto Networks firewalls and Panorama use digital certificates to ensure trust between parties in a secure communication session. Configuring a firewall or ...
Create a Self-Signed Root CA Certificate
Create a Self-Signed Root CA Certificate A self-signed root certificate authority (CA) certificate is the top-most certificate in a certificate chain. A firewall can use ...
Deploy Shared Client Certificates for Authentication
Deploy Shared Client Certificates for Authentication To confirm that an endpoint user belongs to your organization, you can use the same client certificate for all ...
Generate a Certificate
Generate a Certificate Palo Alto Networks firewalls and Panorama use certificates to authenticate clients, servers, users, and devices in several applications, including SSL/TLS decryption, Captive ...