Palo Alto Networks Knowledgebase: How to Configure an OCSP Responder
How to Configure an OCSP Responder
Created On 02/07/19 23:46 PM - Last Updated 02/07/19 23:46 PM
This document describes the steps to configure an OCSP Responder.
Go to Device > Certificate Management > OCSP Responder, and create a new responder. Give the IP address of the interface to be used for the OCSP queries.
Under Device > Certificate Management > Certificates, create a new certificate and choose the OCSP Responder created in Step 1. It will need to be signed by a CA present on the firewall already (or be a self-signed certificate itself).
Under Network > Network Profiles > Interface Mgmt, create a new profile or modify an existing one to include the HTTP OCSP option.
Under Network > Interfaces, click on the interface that matches the IP used in Step 1. Under the Advanced tab, select the Management Profile from Step 3.
(Optional, depending on configuration) If your firewall has a blanket 'deny all' rule, you'll need to add a policy to allow same-zone traffic in the zone where your interface in Step 4 falls. You can restrict it to the 'ocsp' application.
This configuration can be tested with OpenSSL. You'll need 2-3 certificates to do so.
The root CA certificate
The signing certificate (may be the same as the root, or it may be an intermediate)
The server certificate you want to check
The following OpenSSL command can be used. This example assumes that the root is signed the server certificate, and not an intermediate CA: