Palo Alto Networks Supports DER Format for Certificate Revocation List (CRL)

Details

When a customer creates a Client Certificate Profile and enables "Use CRL", the CRL files should be in Distinguished Encoding Rules (DER) format:

Use the following CLI command to verify the use of CRL is enabled:

> show system setting ssl-decrypt setting

vsys                          : vsys1
Forward Proxy Ready           : yes
Inbound Proxy Ready           : yes
Disable ssl                   : no
Disable ssl-decrypt           : no
Notify user                   : no
Proxy for URL                 : no
Wait for URL                  : no
Block revoked Cert            : yes
Block timeout Cert            : no
Block unknown Cert            : no
Cert Status Query Timeout     : 5
URL Category Query Timeout    : 5
Use Cert Cache                : yes
Verify CRL                    : yes  
Verify OCSP                   : no
CRL Status receive Timeout    : 5
OCSP Status receive Timeout   : 5

If Verify CRL is shown as "no", it can be enabled with the following CLI commands:

> configure
# set deviceconfig setting ssl-decrypt crl yes
# commit

Additional Information on Debug Commands

• Enable debug:
  

  > debug sslmgr on debug
  

  Note: Run the debug mode for 3 to 4 hours to cover at least a couple of "Next Update" time periods for the CRL in question, and collect the Tech Support file.

• Collect the file every half of "Next Update" time period:
  

  > show clock
  > debug sslmgr statistics
  > debug sslmgr tar-all-crl
  > debug sslmgr view crl <value>

• Disable debug:
  

  > debug sslmgr on info

• Clear the CRL cache on the CP and DP:
  

  > debug sslmgr delete crl all
  > debug dataplane reset ssl-decrypt certificate-cache

For more information review the OpenSSL online manual:  http://www.openssl.org/docs/apps/crl.html

owner: kkondo