OCSP
Online Certificate Status Protocol for real-time certificate validation
Online Certificate Status Protocol (OCSP) is a method for checking the revocation status of SSL certificates in real-time. OCSP was developed as an alternative to Certificate Revocation Lists (CRLs), which can become large and unwieldy as they must list all revoked certificates. Instead of downloading entire CRLs, OCSP allows clients to query the CA's OCSP responder about the status of a specific certificate by sending its serial number.
The OCSP responder returns one of three responses: 'good' (certificate is valid), 'revoked' (certificate has been revoked), or 'unknown' (status cannot be determined). OCSP responses are digitally signed by the CA and include timestamps to prevent replay attacks. However, OCSP has some limitations: it can create privacy concerns by revealing which sites users visit to the CA, and OCSP queries can slow down connection establishment.
To address these issues, OCSP Stapling was developed, where the server periodically retrieves its own OCSP response and presents it to clients during the TLS handshake, eliminating the need for clients to contact the OCSP responder directly.
Where You'll See This Term
This term commonly appears in:
- SSL certificate details pages
- Certificate Authority validation processes
- SSL configuration documentation
- Security audit reports
- Certificate management interfaces