Device > Certificate Management > OCSP Responder
Select DeviceCertificate ManagementOCSP Responder to define an Online Certificate Status Protocol (OCSP) responder (server) to verify the revocation status of certificates.
Besides adding an OCSP responder, enabling OCSP requires the following tasks:
- Enable communication between the firewall and the OCSP server: select DeviceSetupManagement, select HTTP OCSP in Management Interface Settings, and then click OK.
- If the firewall will decrypt outbound SSL/TLS traffic, optionally configure it to verify the revocation status of destination server certificates: select DeviceSetupSessions, click Decryption Certificate Revocation Settings, select Enable in the OCSP settings, enter the Receive Timeout (the interval after which the firewall stops waiting for an OCSP response), and then click OK.
- Optionally, to configure the firewall as an OCSP responder, add an Interface Management profile to the interface used for OCSP services. First, select NetworkNetwork ProfilesInterface Mgmt, click Add, select HTTP OCSP, and then click OK. Second, select NetworkInterfaces, click the name of the interface that the firewall will use for OCSP services, select AdvancedOther info, select the Interface Management profile you configured, and then click OK and Commit.
Enable an OCSP responder so that if a certificate was revoked, you are notified and can take appropriate action to establish a secure connection to the portal and gateways.
OCSP Responder Settings
Enter a name to identify the responder (up to 31 characters). The name is case-sensitive. It must be unique and use only letters, numbers, spaces, hyphens, and underscores.
Select the scope in which the responder is available. In the context of a firewall that has more than one virtual system (vsys), select a vsys or select Shared (all virtual systems). In any other context, you can’t select the Location; its value is predefined as Shared. After you save the responder, you can’t change its Location.
Enter the host name (recommended) or IP address of the OCSP responder. From this value, PAN-OS automatically derives a URL and adds it to the certificate being verified. If you configure the firewall as an OCSP responder, the host name must resolve to an IP address in the interface that the firewall uses for OCSP services.
Configure an OCSP Responder
Configure an OCSP Responder To use Online Certificate Status Protocol (OCSP) for verifying the revocation status of certificates, you must configure the firewall to access ...
Device > Certificate Management > Certificate Profile
Device > Certificate Management > Certificate Profile Device > Certificate Management > Certificate Profile Panorama > Certificate Management > Certificate Profiles Certificate profiles define which ...
Renew a Certificate
Renew a Certificate If a certificate expires, or soon will, you can reset the validity period. If an external certificate authority (CA) signed the certificate ...
Configure a Certificate Profile
Configure a Certificate Profile Certificate profiles define user and device authentication for Captive Portal, GlobalProtect, site-to-site IPSec VPN, Mobile Security Manager, and web interface access ...
Online Certificate Status Protocol (OCSP)
Online Certificate Status Protocol (OCSP) When establishing an SSL/TLS session, clients can use Online Certificate Status Protocol (OCSP) to check the revocation status of the ...
Set Up Verification for Certificate Revocation Status
Set Up Verification for Certificate Revocation Status To verify the revocation status of certificates, the firewall uses Online Certificate Status Protocol (OCSP) and/or certificate revocation ...
Obtain a Certificate from an External CA
Obtain a Certificate from an External CA The advantage of obtaining a certificate from an external certificate authority (CA) is that the private key does ...
Generate a Certificate
Generate a Certificate Palo Alto Networks firewalls and Panorama use certificates to authenticate clients, servers, users, and devices in several applications, including SSL/TLS decryption, Captive ...
Create a Self-Signed Root CA Certificate
Create a Self-Signed Root CA Certificate A self-signed root certificate authority (CA) certificate is the top-most certificate in a certificate chain. A firewall can use ...