How Often are Certificate Revocation Lists (CRL) Refreshed?

Overview

When decryption is enabled, the Palo Alto Networks firewall actively collects data in the certificates for the Certificate Revocation Lists (CRL). The information is used to get details about the revoked certificates and update intervals. A CRL contains the information about when the firewall should be checked again. The CRL is refreshed on the firewall according to the time when the next update interval is given on the certificate itself.

For example, the CRL for Google is shown on this image:

It is possible to view current CRL information and also clear those lists.

If checking the CRL on the Palo Alto Networks firewall the same information will appear for the next update interval.

> debug sslmgr view crl http://pki.google.com/GIAG2.crl

Current time is: Wed Nov 26 09:02:23 2014

Next update time is Dec 06 05:00:03 2014 GMT

Count   Serial Number                            Revocation Date       

------- ---------------------------------------- ------------------------

[1    ] 5C3554B16F8C8D6F                         Oct 29 09:54:02 2014 GMT

[2    ] 4FB7E1449E931F22                         Apr 07 14:24:42 2014 GMT

[3    ] 78B5252CB70AB2C9                         May 22 10:27:08 2014 GMT

[4    ] 0CD37F0CC118D6E1                         Sep 08 14:18:39 2014 GMT

[5    ] 0D2AF612383ADA5C                         Jul 09 07:58:39 2014 GMT

[6    ] 1E9B268A9545A340                         Apr 11 09:31:20 2014 GMT

To delete a list:

> debug sslmgr delete crl

Note: Deleting a list will not cause it to refresh automatically. A CRL is only accessed when a certificate using the CRL is seen.

owner: kfindlen