Palo Alto Networks Knowledgebase: Palo Alto Networks Supports DER Format for Certificate Revocation List (CRL)

Palo Alto Networks Supports DER Format for Certificate Revocation List (CRL)

Created On 02/07/19 23:47 PM - Last Updated 02/07/19 23:47 PM


When a customer creates a Client Certificate Profile and enables "Use CRL", the CRL files should be in Distinguished Encoding Rules (DER) format:



Use the following CLI command to verify the use of CRL is enabled:

> show system setting ssl-decrypt setting

vsys                          : vsys1
Forward Proxy Ready           : yes
Inbound Proxy Ready           : yes
Disable ssl                   : no
Disable ssl-decrypt           : no
Notify user                   : no
Proxy for URL                 : no
Wait for URL                  : no
Block revoked Cert            : yes
Block timeout Cert            : no
Block unknown Cert            : no
Cert Status Query Timeout     : 5
URL Category Query Timeout    : 5
Use Cert Cache                : yes
Verify CRL                    : yes 
Verify OCSP                   : no
CRL Status receive Timeout    : 5
OCSP Status receive Timeout   : 5


If Verify CRL is shown as "no", it can be enabled with the following CLI commands:

> configure
# set deviceconfig setting ssl-decrypt crl yes
# commit


Additional Information on Debug Commands

  • Enable debug:
    > debug sslmgr on debug
    Note: Run the debug mode for 3 to 4 hours to cover at least a couple of "Next Update" time periods for the CRL in question, and collect the Tech Support file.


  • Collect the file every half of "Next Update" time period:
    > show clock
    > debug sslmgr statistics
    > debug sslmgr tar-all-crl
    > debug sslmgr view crl <value>


  • Disable debug:
    > debug sslmgr on info


  • Clear the CRL cache on the CP and DP:
    > debug sslmgr delete crl all
    > debug dataplane reset ssl-decrypt certificate-cache


For more information review the OpenSSL online manual:


owner: kkondo

  • Print
  • Copy Link

Choose Language