Sales Department: +48 789 594 102
Email UsLive Chat Knowledge BaseBlog
Client Area

How can you check the status of an SSL certificate using OCSP?

OCSP
17/02/2025  in SSL Articles

OCSP (Online Certificate Status Protocol) is a protocol that allows for checking the status of an SSL certificate. This standard describes the communication between the service server and the system of the recipient of certification services. OCSP defines both the structure and format of the certificate status request and the response containing the verification result. Only a “good” (valid) status means that the certificate was issued by an entity that uses the OCSP service.

Certificate validity period

All SSL certificates have their own validity periods. They are issued for a maximum of two years and are considered valid during that time. However, revoking a certificate may sometimes be necessary—for example, if the information contained in the certificate is outdated or if the private key has been compromised. When a certificate is revoked, it is necessary to inform all users who rely on it. If, for instance, a bank revokes the SSL certificate used to secure its login page, its customers must be notified. Currently, information about a revocation can be provided in two ways—using CRL lists or by using the OCSP protocol.

Online Certificate Status Protocol

OCSP is a protocol in which a client sends a request about the status of a certificate to the server of the appropriate Certificate Authority (CA). The response contains the relevant SSL certificate status. A “good” status indicates that the certificate has not been revoked during its validity period and remains valid. A “revoked” status covers SSL certificates that have been either actually revoked or suspended. In the case of a suspension, the certificate can be reinstated, making it valid again. The last status is “unknown,” which means that the OCSP responder found no information regarding the certificate specified in the request. Typically, this status is returned when the certificate issuer in question is not supported by the given OCSP server.

Server address for the protocol

When sending a request to an OCSP server, the client must know its address. It can be obtained directly from the SSL certificate in question. Status requests must be directed to the address found in the AIA (Authority Information Access) extension, which consists of the fields “accessMethod” and “accessLocation.” The first field describes the format and type of data—one of its possible values indicates that status verification is available via the OCSP protocol. The second field contains the specific address of the OCSP server, at which the SSL certificate issuer provides the service. The request for the status of the certificate in question should be sent to exactly this address. OCSP uses the HTTP protocol to transmit data about the SSL certificate status. Although the standard allows other protocols as well, HTTP remains the most popular form of communication today.

OCSP in Browsers

The OCSP protocol can be used to verify SSL certificate status in four out of the five most commonly used web browsers. Only Chrome does not typically use OCSP queries, relying instead on CRLSets. In other popular browsers (Internet Explorer, Firefox, Opera, and Safari), it is possible to verify the certificate status using OCSP, although each browser handles it somewhat differently. For example, if the OCSP server is unavailable, Internet Explorer switches to using CRLs, while Firefox relies solely on the Online Certificate Status Protocol.

Leave your comment

Add A Knowledge Base Question !

You will receive an email when your question will be answered.

+ = Verify Human or Spambot ?