View/Delete CRL and OCSP cache

View/Delete CRL and OCSP cache

49375
Created On 09/26/18 13:49 PM - Last Modified 04/13/21 03:03 AM


Environment


  •  Any PAN-OS platform
  •  Certificate deployment

Cause


  • The Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP) each maintains a list of certificates which have been revoked by the Certificate Authority. If the private key associated with a certificate is lost or exposed, then any authentication using that certificate should be denied.
  • Similarly, people will change jobs, names, and companies. When their certificates are replaced, the old certificates have to be marked as invalid. The purpose of the CRL and OCSP is to maintain the lists of certificates which are valid, but that have been revoked. Those lists are cached on both Management Plane (MP) and Data Plane (DP) on the firewall.

Resolution


  1. To view the CRL/OCSP cache:
> debug sslmgr view crl <value>
> debug sslmgr view ocsp all | <OCSP URL>
  1. To delete the CRL/OCSP cache:

Note: These commands are run on the MP (management plane)

> debug sslmgr delete crl all | <CRL to delete>
> debug sslmgr delete ocsp all | <CSP cache of URL>

Note: These commands are run on the DP (data plane)

> debug dataplane reset ssl-decrypt certificate-status
> debug dataplane reset ssl-decrypt certificate-cache
  1. To check for CRL and OCSP statistics:
> debug sslmgr statistics
 

 

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clr9CAC&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language