How to Enable CRL and OCSP from the WebGUI and CLI

How to Enable CRL and OCSP from the WebGUI and CLI

41189
Created On 09/25/18 17:30 PM - Last Modified 06/12/23 18:08 PM


Resolution


Overview

Certificate Revocation List (CRL) is a list of certificates (or more specifically, a list of serial numbers for certificates) that have been revoked. Entities that present any revoked certificates should not be trusted.

The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. OCSP is described in RFC 6960 and is on the internet standards track.

Both of these features are supported on the Palo Alto Networks firewall.

Steps

On the web UI:

  1. Go to Device > Setup > Session > Session Features
    screenshot-1.JPG.jpg
  2. Click Decryption Certificate Revocation Settings to bring up the following:
    screenshot-2.JPG.jpg
  3. Check Enable for CRL and/or OCSP

On the CLI:

Run the following CLI commands from configuration mode:

  • To enable CRL
    # set deviceconfig setting ssl-decrypt crl yes
  • To enable OCSP
    # set deviceconfig setting ssl-decrypt ocsp yes


owner: sodhegba
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClG4CAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language