Introduction#

Online Certificate Status Protocol (OCSP) to check the revocation status of X.509 digital certificates (SSL/TLS certificates). The advantages of using OCSP instead of or in addition to certificate revocation lists (CRLs) are real-time certificate status responses and usage of fewer network and client resources.

The OCSP is an Internet Protocol (IP) that certificate authorities (CAs) use to determine the status of secure sockets layer/transport layer security (SSL/TLS) certificates, which are common applications of X.509 digital certificates.

How does OCSP Work?#

  1. Certificate Issuance: When a certificate authority (CA) issues a digital certificate to an entity (e.g., a website), it records information about the certificate, including a unique serial number and the certificate’s validity period.

  2. Revocation: Sometimes, certificates need to be revoked before their expiration date. This can happen if a private key is compromised or if the certificate holder’s status changes (e.g., employment termination). When a certificate is revoked, the CA updates its Certificate Revocation List (CRL) or uses OCSP to make the revocation status available.

  3. OCSP Responder: The CA operates an OCSP responder, which is a server that responds to queries about the status of certificates it has issued. This responder can be a separate server or integrated into the CA’s infrastructure.

  4. OCSP Request: When a client (e.g., a web browser) encounters a digital certificate during a secure connection establishment, it can send an OCSP request to the CA’s OCSP responder. The OCSP request typically includes the serial number of the certificate in question.

  5. OCSP Response: The OCSP responder checks its database to determine the status of the certificate based on the serial number provided in the request. It then sends back an OCSP response to the client. If the certificate is valid and not revoked, the OCSP response indicates “good.” If the certificate is revoked, the OCSP response indicates “revoked” and may include additional information about the revocation reason. If the OCSP responder cannot provide a conclusive response, it may return “unknown.”

  6. Client Verification: The client receives the OCSP response and uses it to determine the certificate’s status. If the response is “good,” the client proceeds with the secure connection. If the response is “revoked,” the client can choose to terminate the connection or take other appropriate action based on its security policy.

OCSP provides a more real-time and granular way to check the status of certificates compared to periodically downloading and checking CRLs, which can be less efficient and timely. However, OCSP queries can introduce some latency into the connection setup process because they involve additional network requests to the OCSP responder.

On this page