How Often are Certificate Revocation Lists (CRL) Refreshed?
Resolution
Overview
When decryption is enabled, the Palo Alto Networks firewall actively collects data in the certificates for the Certificate Revocation Lists (CRL). The information is used to get details about the revoked certificates and update intervals. A CRL contains the information about when the firewall should be checked again. The CRL is refreshed on the firewall according to the time when the next update interval is given on the certificate itself.
For example, the CRL for Google is shown on this image:
It is possible to view current CRL information and also clear those lists.
If checking the CRL on the Palo Alto Networks firewall the same information will appear for the next update interval.
> debug sslmgr view crl http://pki.google.com/GIAG2.crl
Current time is: Wed Nov 26 09:02:23 2014
Next update time is Dec 06 05:00:03 2014 GMT
Count Serial Number Revocation Date
------- ---------------------------------------- ------------------------
[1 ] 5C3554B16F8C8D6F Oct 29 09:54:02 2014 GMT
[2 ] 4FB7E1449E931F22 Apr 07 14:24:42 2014 GMT
[3 ] 78B5252CB70AB2C9 May 22 10:27:08 2014 GMT
[4 ] 0CD37F0CC118D6E1 Sep 08 14:18:39 2014 GMT
[5 ] 0D2AF612383ADA5C Jul 09 07:58:39 2014 GMT
[6 ] 1E9B268A9545A340 Apr 11 09:31:20 2014 GMT
To delete a list:
> debug sslmgr delete crl
Note: Deleting a list will not cause it to refresh automatically. A CRL is only accessed when a certificate using the CRL is seen.
owner: kfindlen