Online Certificate Status Protocol

The Online Certificate Status Protocol (OCSP) is an <a href="/facts/Internet/Xw1rVvJU">Internet</a> <a href="/facts/Communication_protocol/5uady7cB">protocol</a> used for obtaining the <a href="/facts/Revocation_status/8o9tHUCE">revocation status</a> of an <a href="/facts/X.509/rs0JuYDd">X.509</a> <a href="/facts/Digital_certificate/J7aYI4Bx">digital certificate</a>. It was created as an alternative to <a href="/facts/Certificate_revocation_list/JSP12aR0">certificate revocation lists</a> (CRL), specifically addressing certain problems associated with using CRLs in a <a href="/facts/Public_key_infrastructure/7fwMLxF4">public key infrastructure</a> (PKI). Messages communicated via OCSP are encoded in <a href="/facts/ASN.1/ryUN7doc">ASN.1</a> and are usually communicated over <a href="/facts/HTTP/TWtvf7JD">HTTP</a>. The "request/response" nature of these messages leads to OCSP <a href="/facts/Server_(computing)/dEaYFD7r">servers</a> being termed OCSP responders.
Some <a href="/facts/Web_browser/2pfyymLs">web browsers</a> (e.g., <a href="/facts/Firefox/xez2zv8H">Firefox</a>) use OCSP to validate <a href="/facts/HTTPS/MSWYz4zo">HTTPS</a> certificates, while others have disabled it. Most OCSP revocation statuses on the Internet disappear soon after certificate expiration.
<a href="/facts/Certificate_authority/WAo8vMTN">Certificate authorities</a> (CAs) were previously required by the <a href="/facts/CA%2fBrowser_Forum/JC00DSD0">CA/Browser Forum</a> to provide OCSP service, but this requirement was removed in August 2023, instead making CRLs required again. <a href="/facts/Let%2527s_Encrypt/Phod5jG9">Let's Encrypt</a> has announced that OCSP services will be shut down on August 6, 2025.

Online Certificate Status Protocol open-in-new

Online Certificate Status Protocol