The Online Certificate Status Protocol (OCSP) is the Internet protocol used by web browsers to determine the revocation status of SSL/TLS certificates supplied by HTTPS websites. While SSL/TLS certificates are always issued with an expiration date, there are certain circumstances in which a certificate must be revoked before it expires (for example, if its associated private key may have been compromised). Therefore, the current validity of a website’s certificate must always be checked by clients regardless of its expiry date.
In its simplest form, OCSP works as follows:
- A web browser receives a certificate from an HTTPS website.
- The web browser sends a request to an OCSP responder, a server operated by the certificate authority (CA) that issued the certificate.
- The OCSP responder’s signed response to the browser indicates whether the certificate is valid or has been revoked.
While initially introduced to solve the bandwidth and scaling problems of certificate revocation lists (CRLs), OCSP introduced several performance and security issues of its own that are currently being addressed through OCSP stapling. In OCSP stapling:
- A web server requests and obtains a signed OCSP response for its certificate from an OCSP responder, which can be cached for up to 7 days.
- The server includes the cached OCSP response along with (or “stapled to”) its certificate in its HTTPS responses to web browsers.
- To prevent a potential attack in which a website serves a stolen revoked certificate without a stapled OCSP response, certificates may be issued with a must-staple extension, mandating OCSP stapling for the certificate.
For more information on OCSP stapling and how to implement it on your servers, please read our article, Page Load Optimization: OCSP Stapling. For examples of browser error messages resulting from revoked certificates, please refer to this guide. And, of course, if you have questions about OCSP or any other topic related to PKI and digital certificates, please contact us by email at Support@SSL.com, call 1-SSL-Certificate (1-775-237-8434), or simply click the chat button at the bottom right of this page. And, as always, thank you for choosing SSL.com!