Home/ Glossary/ Online Certificate Status Protocol

Online Certificate Status Protocol (OCSP)

Security Glossary - SSL/TLS

Definition: OCSP is a protocol used to check the revocation status of an SSL certificate in real time. Instead of downloading an entire Certificate Revocation List (CRL), a client sends a query to the CA's OCSP responder asking about a specific certificate, and receives a signed response indicating whether it is valid, revoked, or unknown.

Why OCSP Is Important

Certificate revocation is the mechanism for invalidating compromised certificates before they expire. If a server's private key is stolen, the certificate must be revoked so browsers stop trusting it. OCSP provides a way for browsers to check revocation status without downloading large CRL files.

However, traditional OCSP has privacy and reliability concerns. Each time a browser connects to a site, it contacts the CA's OCSP responder, revealing which sites the user visits. If the OCSP responder is slow or down, the browser must decide whether to block the connection (hard-fail, which hurts availability) or proceed without checking (soft-fail, which defeats the purpose of revocation checking).

Most browsers use soft-fail, meaning a revoked certificate may still work if the CA's OCSP responder is unreachable. This significantly weakens revocation checking. OCSP stapling solves many of these issues by having the server fetch and cache the OCSP response itself, eliminating the privacy concern and reducing the reliability dependency on the CA's infrastructure.

Testing Your Configuration

An SSL checker can verify whether your server's certificate has a valid OCSP response and whether OCSP stapling is enabled. Check that the OCSP responder URL in your certificate is reachable and returning valid responses.

Check SSL Certificate

Common Questions About OCSP

What is the difference between OCSP and CRL?
CRL is a full list of all revoked certificates from a CA, which can be very large. OCSP checks individual certificates in real time. OCSP is more efficient but introduces a dependency on the OCSP responder being available.
Do browsers actually check OCSP?
Most browsers use a soft-fail approach - they attempt an OCSP check but allow the connection if the responder is unreachable. Chrome does not use OCSP at all, relying instead on its own CRLSets. This is why OCSP stapling is important.

See Also

OCSP Stapling Certificate Revocation List SSL/TLS Certificate Certificate Authority Certificate Chain of Trust
Disclaimer: DomainOptic provides automated informational scans only. Results do not constitute professional security advice, compliance certification, or a guarantee of security. Always verify findings independently.