How to Enable CRL and OCSP from the WebGUI and CLI
Certificate Revocation List (CRL) is a list of certificates (or more specifically, a list of serial numbers for certificates) that have been revoked. Entities that present any revoked certificates should not be trusted.
The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. OCSP is described in RFC 6960 and is on the internet standards track.
Both of these features are supported on the Palo Alto Networks firewall.
On the web UI:
- Go to Device > Setup > Session > Session Features
- Click Decryption Certificate Revocation Settings to bring up the following:
- Check Enable for CRL and/or OCSP
On the CLI:
Run the following CLI commands from configuration mode:
- To enable CRL
# set deviceconfig setting ssl-decrypt crl yes
- To enable OCSP
# set deviceconfig setting ssl-decrypt ocsp yes