Each certificate authority (CA) periodically issues
a certificate revocation list (CRL) to a public repository. The
CRL identifies revoked certificates by serial number. After the
CA revokes a certificate, the next CRL update will include the serial
number of that certificate.
The Palo Alto Networks firewall downloads and caches the last-issued
CRL for every CA listed in the trusted CA list of the firewall.
Caching only applies to validated certificates; if a firewall never
validated a certificate, the firewall cache does not store the CRL
for the issuing CA. Also, the cache only stores a CRL until it expires.
The firewall supports CRLs only in Distinguished Encoding Rules
(DER) format. If the firewall downloads a CRL in any other format—for
example, Privacy Enhanced Mail (PEM) format—any revocation verification
process that uses that CRL will fail when a user performs an activity
that triggers the process (for example, sending outbound SSL data).
The firewall will generate a system log for the verification failure.
If the verification was for an SSL certificate, the firewall will
also display the SSL Certificate Errors Notify response page to
If you configure multiple CRL distribution points (CDPs) and
the firewall cannot reach the first CDP, the firewall does not check
the remaining CDPs. To redirect invalid CRL requests, configure a DNS proxy as
an alternate server.
To use CRLs for verifying the revocation status of certificates
that authenticate users and devices, configure a certificate profile
and assign it to the interfaces that are specific to the application:
Captive Portal, GlobalProtect (remote user-to-site or large scale),
site-to-site IPSec VPN, or web interface access to Palo Alto Networks
firewalls or Panorama. For details, see Configure
Revocation Status Verification of Certificates.