What is OCSP? Understanding Online Certificate Status Protocol
In your GuardSSL scan results, you might notice an OCSP URL field. OCSP is a protocol you probably use every day without knowing it. Let me explain what it is and why it matters.
The Problem OCSP Solves
Imagine this scenario:
A company's SSL certificate private key gets stolen by hackers. The company rushes to contact the CA (Certificate Authority) to revoke the certificate. But here's the problem—the certificate hasn't expired yet. How does a browser know this certificate should no longer be trusted?
This is exactly what OCSP (Online Certificate Status Protocol) addresses.
How OCSP Works
Think of OCSP as a certificate status hotline.
When you visit an HTTPS website:
- Your browser receives the website's certificate
- The browser asks the OCSP server specified in the certificate: "Is this certificate still valid?"
- The OCSP server responds: "Valid," "Revoked," or "Unknown"
- Your browser decides whether to trust the website based on the response
Browser ----"Is certificate ABC123 still valid?"----> OCSP Server
Browser <----"Yes, it's valid, go ahead!"------------ OCSP Server
Problems with Traditional OCSP
While OCSP solves the revocation verification problem, the traditional implementation has some drawbacks:
Performance Issues
Every HTTPS connection requires an additional OCSP server query, adding network latency. If the OCSP server responds slowly, your website loads slowly.
Privacy Concerns
The CA's OCSP server can see which websites you're visiting. While CAs theoretically don't log this data, it's still a potential privacy issue.
Availability Problems
What if the OCSP server goes down? Should the browser block access (secure but hurts availability) or allow access (convenient but potentially insecure)?
Most browsers choose "soft fail"—if the query fails, assume the certificate is valid. This is a security trade-off.
OCSP Stapling: A Better Solution
To address these issues, OCSP Stapling was developed.
How It Works
Instead of having browsers query the OCSP server every time:
- The web server periodically (e.g., hourly) queries the OCSP server about its own certificate
- The OCSP server returns a signed "certificate status proof"
- The server "staples" this proof to the certificate
- When users connect, the server sends both the certificate and the status proof
- The browser verifies the signature to confirm certificate status
Web Server ---periodic query---> OCSP Server
|
Gets status proof
|
v
User Browser <---certificate + status proof--- Web Server
Benefits
- Faster: Browsers don't need extra network requests
- More Private: CAs don't know who's visiting which sites
- More Reliable: Doesn't depend on real-time OCSP server availability
The OCSP URL in GuardSSL
When you scan a website, the OCSP URL field shows the OCSP server address specified in the certificate.
You might see URLs like:
http://ocsp.digicert.com
http://r3.o.lencr.org
http://ocsp.sectigo.com
This tells browsers where to verify certificate status.
Do You Need to Configure OCSP?
If You Use Cloud Services
Most modern cloud services (Cloudflare, AWS, Vercel, etc.) already handle OCSP Stapling automatically. You don't need to do anything.
If You Manage Your Own Server
You may need to manually enable OCSP Stapling:
Nginx:
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8;
Apache:
SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
How to Verify OCSP Stapling Works
Use the OpenSSL command:
openssl s_client -connect example.com:443 -status
Look for "OCSP Response Data" in the output.
OCSP vs. CRL: What's the Difference?
Besides OCSP, there's an older revocation checking method called CRL (Certificate Revocation List).
| Feature | OCSP | CRL |
|---|---|---|
| Query Method | Real-time query for single certificate | Download complete revocation list |
| Response Speed | Fast | Slow (file can be large) |
| Freshness | Real-time | Has delay |
| Bandwidth | Low | High |
OCSP is the mainstream solution today, though many certificates still support CRL as a backup.
Key Takeaways
- OCSP is a protocol for real-time certificate revocation status checking
- OCSP Stapling improves performance and privacy
- The OCSP URL in GuardSSL shows the verification server specified in the certificate
- Most modern services already enable OCSP Stapling automatically
- Self-managed servers may need manual configuration
OCSP ensures that even if a certificate is revoked, users remain protected.
Check Your SSL Certificate Now
Want to see these certificate details for your own website? Use our free SSL checker to instantly analyze your certificate's security, validity, and configuration.
No registration required • Instant results • 100% free