Block Page Appears on Expired Certificates When CRL/OCSP Check is Enabled

Block Page Appears on Expired Certificates When CRL/OCSP Check is Enabled

0
Created On 09/26/18 13:52 PM - Last Modified 07/19/22 23:11 PM


Resolution


Symptom

Traffic is blocked during SSL decryption when a certificate is expired and when the option to use CRL/OCSP to check certificate status is enabled (Device > Setup > Session > Decryption Certificate Revocation Settings). This can be observed even if "Block sessions with expired certificate" is not enabled in a Decryption Profile.

 

Cause

An expired certificate cannot become a valid certificate. Thus, as a part of the CRL/OCSP check, the Palo Alto Networks firewall rejects all expired certificates and displays the SSL block page when one is encountered. 

 

Resolution

Please create or import a valid (non expired) certificate to resolve the issue

 

owner: ymiyashita
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClwDCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail