Palo Alto Networks Knowledgebase: Block Page Appears on Expired Certificates When CRL/OCSP Check is Enabled
Block Page Appears on Expired Certificates When CRL/OCSP Check is Enabled
Created On 02/07/19 23:38 PM - Last Updated 02/07/19 23:39 PM
Traffic is blocked during SSL decryption when a certificate is expired and when the option to use CRL/OCSP to check certificate status is enabled (Device > Setup > Session > Decryption Certificate Revocation Settings). This can be observed even if "Block sessions with expired certificate" is not enabled in a Decryption Profile.
An expired certificate cannot become a valid certificate. Thus, as a part of the CRL/OCSP check, the Palo Alto Networks firewall rejects all expired certificates and displays the SSL block page when one is encountered.
Please create or import a valid (non expired) certificate to resolve the issue