https://live.paloaltonetworks.com/t5/general-topics/ocsp-query/m-p/33100#M24258 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>We are implementing a SSL-VPN solution using Global Protect and our own CA. From what I have seen the OCSP queries are made on demand, when the certificate is presented for the first time, and then at a fixed interval(60 minutes). I tried changing the interval using the "debug sslmgr set ocsp-next-update-time" but did not have any effect on the update interval.</P><P>I wanted to test the PKI infrastructure and modify the state of a certain certificate. Even though I cleared the ocsp cache "debug sslmgr delete ocsp all", when I used the certificate for witch PA had cached a oscp query(that I deleted earlier) PA used the old state of the certificate.</P><P>Is there any other way to effectively clear the ocsp cache, or modify the ocsp update time?</P><P></P><P>Thanks,</P><P></P><P>Costin</P></BODY></HTML> Thu, 04 Apr 2013 15:54:20 GMT conceptelectronics 2013-04-04T15:54:20Z https://live.paloaltonetworks.com/t5/general-topics/ocsp-query/m-p/33100#M24258 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>We are implementing a SSL-VPN solution using Global Protect and our own CA. From what I have seen the OCSP queries are made on demand, when the certificate is presented for the first time, and then at a fixed interval(60 minutes). I tried changing the interval using the "debug sslmgr set ocsp-next-update-time" but did not have any effect on the update interval.</P><P>I wanted to test the PKI infrastructure and modify the state of a certain certificate. Even though I cleared the ocsp cache "debug sslmgr delete ocsp all", when I used the certificate for witch PA had cached a oscp query(that I deleted earlier) PA used the old state of the certificate.</P><P>Is there any other way to effectively clear the ocsp cache, or modify the ocsp update time?</P><P></P><P>Thanks,</P><P></P><P>Costin</P></BODY></HTML> Thu, 04 Apr 2013 15:54:20 GMT https://live.paloaltonetworks.com/t5/general-topics/ocsp-query/m-p/33100#M24258 conceptelectronics 2013-04-04T15:54:20Z https://live.paloaltonetworks.com/t5/general-topics/ocsp-query/m-p/33101#M24259 <HTML><HEAD></HEAD><BODY><P>You can clear the cache using the following commands:</P><P></P><P>On MP:</P><P>debug sslmgr delete ocsp</P><P></P><P>On DP:</P><P>debug dataplane reset ssl-decrypt certificate-cache, or </P><P>debug dataplane reset ssl-decrypt certificate-status</P></BODY></HTML> Thu, 04 Apr 2013 19:25:28 GMT https://live.paloaltonetworks.com/t5/general-topics/ocsp-query/m-p/33101#M24259 zarina 2013-04-04T19:25:28Z https://live.paloaltonetworks.com/t5/general-topics/ocsp-query/m-p/33102#M24260 <HTML><HEAD></HEAD><BODY><P>Thanks,</P><P></P><P>That solved the cache clearing problem, but I still have an issue with the ocsp update time.</P><P>And also there is a difference in the time showed on the device and in the ocsp debug.</P><P>admin@pa5050(active)&gt; debug sslmgr view ocsp all</P><P></P><P>Current time is: Fri Apr&nbsp; 5 10:19:48 2013</P><P></P><P>Count&nbsp;&nbsp; Serial Number (HEX)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Status&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Next Update&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Revocation Time&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Reason&nbsp;&nbsp;&nbsp; </P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Issuer Name Hash</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; OCSP Responder URL</P><P>------- ---------------------------------------- ----------- ------------------------ ------------------------ ----------</P><P>[&nbsp;&nbsp;&nbsp; 1] 15BA94EB8D8B7993&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; valid&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Apr 11 15:02:34 2013 GMT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 09b9f61a</P><P><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN><A class="jive-link-external-small" href="http://tpp.sniep.ro/ocsp">http://tpp.sniep.ro/ocsp</A></P><P></P><P>admin@pa5050(active)&gt; show clock</P><P></P><P>Fri Apr&nbsp; 5 13:19:55 EEST 2013</P><P></P><P>admin@pa5050(active)&gt; </P></BODY></HTML> Fri, 05 Apr 2013 10:14:05 GMT https://live.paloaltonetworks.com/t5/general-topics/ocsp-query/m-p/33102#M24260 conceptelectronics 2013-04-05T10:14:05Z https://live.paloaltonetworks.com/t5/general-topics/ocsp-query/m-p/33103#M24261 <HTML><HEAD></HEAD><BODY><P>The current time is listed in UTC whereas the clock is listed per the time zone configured on the device. I will have to look for the update time issue.</P></BODY></HTML> Mon, 08 Apr 2013 16:46:26 GMT https://live.paloaltonetworks.com/t5/general-topics/ocsp-query/m-p/33103#M24261 zarina 2013-04-08T16:46:26Z