Device > Certificate Management > OCSP Responder
Select to define
an Online Certificate Status Protocol (OCSP) responder (server)
to verify the revocation status of certificates.
Device
Certificate Management
OCSP Responder
Besides adding an OCSP responder, enabling OCSP requires the
following tasks:
- Enable communication between the firewall and the OCSP server: select, selectDeviceSetupManagementHTTP OCSPin Management Interface Settings, and then clickOK.
- If the firewall will decrypt outbound SSL/TLS traffic, optionally configure it to verify the revocation status of destination server certificates: select, clickDeviceSetupSessionsDecryption Certificate Revocation Settings, selectEnablein the OCSP settings, enter theReceive Timeout(the interval after which the firewall stops waiting for an OCSP response), and then clickOK.
- Optionally, to configure the firewall as an OCSP responder, add an Interface Management profile to the interface used for OCSP services. First, select, clickNetworkNetwork ProfilesInterface MgmtAdd, selectHTTP OCSP, and then clickOK. Second, select, click the name of the interface that the firewall will use for OCSP services, selectNetworkInterfaces, select the Interface Management profile you configured, and then clickAdvancedOther infoOKandCommit.
Enable an OCSP responder so that if a
certificate was revoked, you are notified and can take appropriate
action to establish a secure connection to the portal and gateways.
OCSP Responder Settings | Description |
---|---|
Name | Enter a name to identify the responder (up
to 31 characters). The name is case-sensitive. It must be unique and
use only letters, numbers, spaces, hyphens, and underscores. |
Location | Select the scope in which the responder
is available. In the context of a firewall that has more than one
virtual system (vsys), select a vsys or select Shared (all
virtual systems). In any other context, you can’t select the Location ;
its value is predefined as Shared. After you save the responder,
you can’t change its Location . |
Host Name | Enter the host name (recommended) or IP
address of the OCSP responder. From this value, PAN-OS automatically derives
a URL and adds it to the certificate being verified. If you configure
the firewall as an OCSP responder, the host name must resolve to
an IP address in the interface that the firewall uses for OCSP services. |
Recommended For You
Recommended Videos
Recommended videos not found.