OCSP

Online Certificate Status Protocol for real-time certificate validation

Certificate Validation

Online Certificate Status Protocol (OCSP) is a method for checking the revocation status of SSL certificates in real-time. OCSP was developed as an alternative to Certificate Revocation Lists (CRLs), which can become large and unwieldy as they must list all revoked certificates. Instead of downloading entire CRLs, OCSP allows clients to query the CA's OCSP responder about the status of a specific certificate by sending its serial number.

The OCSP responder returns one of three responses: 'good' (certificate is valid), 'revoked' (certificate has been revoked), or 'unknown' (status cannot be determined). OCSP responses are digitally signed by the CA and include timestamps to prevent replay attacks. However, OCSP has some limitations: it can create privacy concerns by revealing which sites users visit to the CA, and OCSP queries can slow down connection establishment.

To address these issues, OCSP Stapling was developed, where the server periodically retrieves its own OCSP response and presents it to clients during the TLS handshake, eliminating the need for clients to contact the OCSP responder directly.

Where You'll See This Term

This term commonly appears in:

  • SSL certificate details pages
  • Certificate Authority validation processes
  • SSL configuration documentation
  • Security audit reports
  • Certificate management interfaces

Related SSL Terms

Need Help with SSL Certificate Management?

Understanding SSL terminology is just the beginning. Chill SSL helps you monitor and manage your SSL certificates to prevent expiration and security issues.