Palo Alto Networks firewalls and Panorama use digital
certificates to ensure trust between parties in a secure communication
session. Configuring a firewall or Panorama to check the revocation
status of certificates provides additional security. A party that
presents a revoked certificate is not trustworthy. When a certificate
is part of a chain, the firewall or Panorama checks the status of
every certificate in the chain except the root CA certificate, for
which it cannot verify revocation status.
Various circumstances can invalidate a certificate before the
expiration date. Some examples are a change of name, change of association
between subject and certificate authority (for example, an employee
terminates employment), and compromise (known or suspected) of the
private key. Under such circumstances, the certificate authority
that issued the certificate must revoke it.
The firewall and Panorama support the following methods for verifying
certificate revocation status. If you configure both methods, the
firewall or Panorama first tries the OCSP method; if the OCSP server
is unavailable, it uses the CRL method.
In PAN-OS, certificate revocation status
verification is an optional feature. It is a best practice to enable
it for certificate profiles, which define user and device authentication
for Captive Portal, GlobalProtect, site-to-site IPSec VPN, and web
interface access to the firewall or Panorama, to verify that the certificate
hasn’t been revoked.