Palo Alto Networks Supports DER Format for Certificate Revocation List (CRL)
16561
Created On 09/26/18 13:49 PM - Last Modified 06/08/23 00:50 AM
Resolution Details
When a customer creates a Client Certificate Profile and enables "Use CRL", the CRL files should be in Distinguished Encoding Rules (DER) format:
Use the following CLI command to verify the use of CRL is enabled:
> show system setting ssl-decrypt setting vsys : vsys1Forward Proxy Ready : yes Inbound Proxy Ready : yes Disable ssl : no Disable ssl-decrypt : no Notify user : no Proxy for URL : no Wait for URL : no Block revoked Cert : yes Block timeout Cert : no Block unknown Cert : no Cert Status Query Timeout : 5 URL Category Query Timeout : 5 Use Cert Cache : yes Verify CRL : yes Verify OCSP : no CRL Status receive Timeout : 5 OCSP Status receive Timeout : 5
If Verify CRL is shown as "no", it can be enabled with the following CLI commands:
> configure # set deviceconfig setting ssl-decrypt crl yes # commit
Additional Information on Debug Commands
Enable debug:> debug sslmgr on debug
Note: Run the debug mode for 3 to 4 hours to cover at least a couple of "Next Update" time periods for the CRL in question, and collect the Tech Support file.
Disable debug:> debug sslmgr on info
For more information review the OpenSSL online manual: http://www.openssl.org/docs/apps/crl.html
owner: kkondo