Skip to main content

Home Online Certificate Status Protocol

Online Certificate Status Protocol

(also OCSP)

Online Certificate Status Protocol definition

The Online Certificate Status Protocol is a network protocol used to obtain the revocation status of an X.509 digital certificate. It is employed as part of the Internet Public Key Infrastructure (PKI) for securing web communications. OCSP allows clients (such as web browsers) to send a request to a Certificate Authority (CA) server to check whether a digital certificate is valid or has been revoked.

This protocol provides a more efficient and real-time method for verifying certificate status compared to older techniques like Certificate Revocation Lists (CRLs), enhancing the overall security of digital communications and transactions.

See also: public key infrastructure, OCSP stapling, communication protocol, X.509

History of Online Certificate Status Protocol

  • Certificate revocation lists (CRLs). Initially, the revocation status of digital certificates was checked using CRLs. These were lists of revoked certificates published by CAs. However, as the internet grew, CRLs became unwieldy due to their size and the infrequency of updates.
  • Introduction of OCSP. The Internet Engineering Task Force (IETF) standardized the protocol in 1999 in RFC 2560. OCSP significantly improved upon CRLs by allowing real-time, on-demand checks of a certificate's revocation status.
  • OCSP in SSL/TLS. OCSP became particularly important in the context of SSL/TLS, the protocols underlying secure web communications. It allowed web browsers and other clients to quickly verify whether a website's SSL/TLS certificate was still valid.
  • OCSP stapling. OCSP stapling improved the protocol’s efficiency and addressed privacy concerns.
  • Continued evolution. OCSP has continued to evolve with improvements and updates to address various challenges, such as response time, security vulnerabilities, and scalability issues.