OCSP

What it is

OCSP (Online Certificate Status Protocol) is a protocol used to check the revocation status of X.509 certificates in real-time. Instead of downloading a Certificate Revocation List (CRL), clients can query an OCSP responder to check if a specific certificate is still valid.

When a client connects to a server using TLS, it can send an OCSP request to the certificate's OCSP responder URL (found in the certificate's Authority Information Access extension). The responder returns a signed response indicating whether the certificate is "good", "revoked", or "unknown".

Why it matters

OCSP provides several advantages over CRLs:

• Real-time status: Get immediate revocation status without waiting for CRL updates
• Smaller responses: Only query for specific certificates, not entire revocation lists
• Faster updates: Revocation status can be updated immediately when a certificate is revoked
• Better scalability: Reduces bandwidth compared to downloading large CRLs

However, OCSP has privacy concerns (the OCSP responder knows which sites you're visiting) and performance issues (additional network round-trip). OCSP Stapling addresses these concerns by having the server fetch and cache OCSP responses.

In practice

Best practices for OCSP:

• Enable OCSP Stapling on your web server to improve performance and privacy
• Monitor OCSP responder availability and response times
• Configure fallback behavior if OCSP responder is unavailable
• Use OCSP Must-Staple extension for high-security applications
• Test OCSP responses regularly to ensure they're working correctly
• Consider the privacy implications of OCSP for your users
• Keep OCSP responder URLs accessible and properly configured

Further reading

• RFC 6960: X.509 Internet Public Key Infrastructure Online Certificate Status Protocol
• RFC 7633: X.509v3 Transport Layer Security (TLS) Feature Extension
• OCSP Stapling Configuration Guides