This document describes the steps to configure an OCSP Responder.
Steps
Go to Device > Certificate Management > OCSP Responder, and create a new responder. Give the IP address of the interface to be used for the OCSP queries.
Under Device > Certificate Management > Certificates, create a new certificate and choose the OCSP Responder created in Step 1. It will need to be signed by a CA present on the firewall already (or be a self-signed certificate itself).
Under Network > Network Profiles > Interface Mgmt, create a new profile or modify an existing one to include the HTTP OCSP option.
Under Network > Interfaces, click on the interface that matches the IP used in Step 1. Under the Advanced tab, select the Management Profile from Step 3.
(Optional, depending on configuration) If your firewall has a blanket 'deny all' rule, you'll need to add a policy to allow same-zone traffic in the zone where your interface in Step 4 falls. You can restrict it to the 'ocsp' application.
This configuration can be tested with OpenSSL. You'll need 2-3 certificates to do so.
The root CA certificate
The signing certificate (may be the same as the root, or it may be an intermediate)
The server certificate you want to check
The following OpenSSL command can be used. This example assumes that the root is signed the server certificate, and not an intermediate CA:
root.cer represents the Root CA and signer of the server certificate.
server.cer represents the server certificate.
http://192.0.2.1/CA/ocsp is the full URI needed to access the OCSP responder on the Palo Alto Networks Firewall. If the path (/CA/ocsp) is excluded, the test will fail.