OCSP Status

What is OCSP Status?

OCSP (Online Certificate Status Protocol) Status provides real-time information about whether an SSL/TLS certificate has been revoked by its issuing Certificate Authority. Unlike Certificate Revocation Lists (CRLs) which are downloaded periodically, OCSP allows clients to query the CA’s OCSP responder in real-time to check the current status of a specific certificate.

OCSP Response Types

OCSP responders return one of three possible status responses:

• Good: Certificate is valid and has not been revoked
• Revoked: Certificate has been revoked by the CA, with revocation reason and date
• Unknown: OCSP responder cannot determine the certificate’s status
• No Response: OCSP responder is unavailable (soft-fail scenario)

Implementation and Security Considerations

OCSP checking can impact connection performance since it requires an additional network request during the TLS handshake. To address this, OCSP Stapling was developed, where the server periodically retrieves its own OCSP response and presents it to clients during the handshake. This eliminates the client’s need to contact the OCSP responder directly, improving performance and privacy. However, OCSP checking is not universally implemented due to reliability concerns - if the OCSP responder is unavailable, browsers typically employ a ‘soft-fail’ approach and allow the connection to proceed. Understanding OCSP status helps administrators ensure their certificates are properly validated and maintain user trust.