Palo Alto Networks Knowledgebase: How to Configure an OCSP Responder

How to Configure an OCSP Responder

4791
Created On 02/07/19 23:46 PM - Last Updated 02/07/19 23:46 PM
Certificate Management
Resolution

Overview

This document describes the steps to configure an OCSP Responder.

 

Steps

  1. Go to Device > Certificate Management > OCSP Responder, and create a new responder. Give the IP address of the interface to be used for the OCSP queries.
    1-ocsp.png
  2. Under Device > Certificate Management > Certificates, create a new certificate and choose the OCSP Responder created in Step 1. It will need to be signed by a CA present on the firewall already (or be a self-signed certificate itself).
    2-cert.png
  3. Under Network > Network Profiles > Interface Mgmt, create a new profile or modify an existing one to include the HTTP OCSP option.
    3-netprofile.png
  4. Under Network > Interfaces, click on the interface that matches the IP used in Step 1. Under the Advanced tab, select the Management Profile from Step 3.
    4-interface.png
  5. (Optional, depending on configuration) If your firewall has a blanket 'deny all' rule, you'll need to add a policy to allow same-zone traffic in the zone where your interface in Step 4 falls. You can restrict it to the 'ocsp' application.

 

This configuration can be tested with OpenSSL. You'll need 2-3 certificates to do so.

  • The root CA certificate
  • The signing certificate (may be the same as the root, or it may be an intermediate)
  • The server certificate you want to check

 

The following OpenSSL command can be used. This example assumes that the root is signed the server certificate, and not an intermediate CA:

openssl ocsp -issuer root.cer -CAfile root.cer -cert server.cer -url http://192.0.2.1/CA/ocsp

 

root.cer represents the Root CA and signer of the server certificate.

server.cer represents the server certificate.

http://192.0.2.1/CA/ocsp is the full URI needed to access the OCSP responder on the Palo Alto Networks Firewall. If the path (/CA/ocsp) is excluded, the test will fail.

 

owner: gwesson



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClteCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language