Palo Alto Networks Knowledgebase: Palo Alto Networks Supports DER Format for Certificate Revocation List (CRL)

Palo Alto Networks Supports DER Format for Certificate Revocation List (CRL)

1964
Created On 02/07/19 23:47 PM - Last Updated 02/07/19 23:47 PM
VPNs
Resolution

Details

When a customer creates a Client Certificate Profile and enables "Use CRL", the CRL files should be in Distinguished Encoding Rules (DER) format:

KB_210860.png

 

Use the following CLI command to verify the use of CRL is enabled:

> show system setting ssl-decrypt setting

vsys                          : vsys1
Forward Proxy Ready           : yes
Inbound Proxy Ready           : yes
Disable ssl                   : no
Disable ssl-decrypt           : no
Notify user                   : no
Proxy for URL                 : no
Wait for URL                  : no
Block revoked Cert            : yes
Block timeout Cert            : no
Block unknown Cert            : no
Cert Status Query Timeout     : 5
URL Category Query Timeout    : 5
Use Cert Cache                : yes
Verify CRL                    : yes 
Verify OCSP                   : no
CRL Status receive Timeout    : 5
OCSP Status receive Timeout   : 5

 

If Verify CRL is shown as "no", it can be enabled with the following CLI commands:

> configure
# set deviceconfig setting ssl-decrypt crl yes
# commit

 

Additional Information on Debug Commands

  • Enable debug:
    > debug sslmgr on debug
    Note: Run the debug mode for 3 to 4 hours to cover at least a couple of "Next Update" time periods for the CRL in question, and collect the Tech Support file.

 

  • Collect the file every half of "Next Update" time period:
    > show clock
    > debug sslmgr statistics
    > debug sslmgr tar-all-crl
    > debug sslmgr view crl <value>

 

  • Disable debug:
    > debug sslmgr on info

 

  • Clear the CRL cache on the CP and DP:
    > debug sslmgr delete crl all
    > debug dataplane reset ssl-decrypt certificate-cache

 

For more information review the OpenSSL online manual:  http://www.openssl.org/docs/apps/crl.html

 

owner: kkondo



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClqRCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language