Home

OCSP

OCSP, short for Online Certificate Status Protocol, is a protocol used to determine the revocation status of X.509 digital certificates in real time. It allows a client to query an OCSP responder about a particular certificate and receive a signed response that indicates whether the certificate is still valid, has been revoked, or if the status is unknown. OCSP responses include validity intervals and may carry a revocation reason. The protocol is defined in RFC 6960.

Operation: The client constructs a certificate identifier (certID) including the issuer's name hash, issuer's public key

Transport and deployment: OCSP commonly uses HTTP as the transport. It supports GET requests or POST with

Limitations and policy: OCSP can reveal which certificates a client is using to the responder, raising privacy

hash,
and
the
certificate's
serial
number,
hashed
with
a
chosen
algorithm.
The
request
is
sent
to
the
URL
specified
in
the
certificate's
Authority
Information
Access
extension.
The
responder
returns
a
BasicOCSPResponse
that
contains
the
status
and
a
chain
of
signer
certificates.
The
response
is
time-stamped
with
thisUpdate
and
nextUpdate,
and
can
include
a
nonce
to
prevent
replay.
DER-encoded
data.
To
reduce
latency
and
improve
privacy,
many
servers
deploy
OCSP
stapling,
where
the
web
server
obtains
and
periodically
caches
the
OCSP
response
and
presents
it
during
TLS
handshakes.
There
is
also
a
Must-Staple
X.509
extension
that
enforces
the
presence
of
a
stapled
OCSP
response.
concerns;
the
availability
of
responders
is
critical
for
timely
revocation
information.
Browsers
may
implement
soft-fail
or
hard-fail
policies
when
an
OCSP
response
cannot
be
obtained.
As
an
alternative
to
OCSP,
Certificate
Revocation
Lists
(CRLs)
provide
revocation
data
as
a
signed
list.