Palo Alto Networks Knowledgebase: Block Page Appears on Expired Certificates When CRL/OCSP Check is Enabled

Block Page Appears on Expired Certificates When CRL/OCSP Check is Enabled

4726
Created On 02/07/19 23:38 PM - Last Updated 02/07/19 23:39 PM
Resolution

Symptom

Traffic is blocked during SSL decryption when a certificate is expired and when the option to use CRL/OCSP to check certificate status is enabled (Device > Setup > Session > Decryption Certificate Revocation Settings). This can be observed even if "Block sessions with expired certificate" is not enabled in a Decryption Profile.

 

Cause

An expired certificate cannot become a valid certificate. Thus, as a part of the CRL/OCSP check, the Palo Alto Networks firewall rejects all expired certificates and displays the SSL block page when one is encountered. 

 

Resolution

Please create or import a valid (non expired) certificate to resolve the issue

 

owner: ymiyashita



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClwDCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language