The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. It was created as an alternative to certificate revocation lists (CRL), specifically addressing certain problems associated with using CRLs in a public key infrastructure (PKI). Messages communicated via OCSP are encoded in ASN.1 and are usually communicated over HTTP. The "request/response" nature of these messages leads to OCSP servers being termed OCSP responders.

Some web browsers (e.g., Firefox) use OCSP to validate HTTPS certificates, while others have disabled it. Most OCSP revocation statuses on the Internet disappear soon after certificate expiration.

Certificate authorities (CAs) were previously required by the CA/Browser Forum to provide OCSP service, but this requirement was removed in July 2023, making OCSP optional and CRLs required again. On August 6, 2025, Let's Encrypt announced that OCSP services will be shut down due to privacy concerns.

Comparison to CRLs

  • Since an OCSP response contains less data than a typical certificate revocation list (CRL), it puts less burden on network and client resources.
  • Since an OCSP response has less data to parse, the client-side libraries that handle it can be less complex than those that handle CRLs.
  • OCSP discloses to the responder that a particular network host used a particular certificate at a particular time. OCSP does not mandate encryption, so other parties may intercept this information.

The MustStaple TLS extension in a certificate can require that the certificate be verified by a stapled OCSP response, mitigating this problem.) supports OCSP checking.

  • All versions of Mozilla Firefox support OCSP checking. Firefox 3 enables OCSP checking by default.
  • Safari on macOS supports OCSP checking. It is enabled by default as of Mac OS X 10.7 (Lion). Prior to that, it has to be manually activated in Keychain preferences.
  • Versions of Opera from 8.0 to the current version support OCSP checking.

However, Google Chrome is an outlier. Google disabled OCSP checks by default in 2012, citing latency and privacy issues and instead uses their own update mechanism to send revoked certificates to the browser.

Implementations

Several open source and proprietary OCSP implementations exist, including fully featured servers and libraries for building custom applications. OCSP client support is built into many operating systems, web browsers, and other network software due to the popularity of HTTPS and the World Wide Web.

Server

Open source

  • Boulder, CA and OCSP responder developed and used by Let's Encrypt (Go)
  • DogTag, Open source certificate authority CA, CRL and OCSP responder.
  • EJBCA, CA and OCSP responder (Java)
  • XiPKI, CA and OCSP responder. With support of RFC 6960 and SHA3 (Java)
  • OpenCA OCSP Responder Standalone OCSP responder from the OpenCA Project (C)

Proprietary

  • Certificate Services CA and OCSP responder included with Windows Server

Library

Open source

  • cfssl (Go)
  • OpenSSL (C)
  • wolfSSL (C)

Client

See also

  • Certificate revocation list
  • Certificate authority
  • Server-based Certificate Validation Protocol
  • OCSP stapling
  • Certificate Transparency

References

  • [//tools.ietf.org/html/rfc2560 RFC 2560, X.509 Internet Public Key Infrastructure Online Certificate Status Protocol – OCSP]
  • [//tools.ietf.org/html/rfc4806 RFC 4806, Online Certificate Status Protocol (OCSP) Extensions to IKEv2]
  • [//tools.ietf.org/html/rfc5019 RFC 5019, The Lightweight Online Certificate Status Protocol (OCSP) Profile for High-Volume Environments]
  • [//tools.ietf.org/html/rfc6960 RFC 6960, X.509 Internet Public Key Infrastructure Online Certificate Status Protocol – OCSP]
  • Processor.com April, 2009 article about Online Certificate Status Protocol