What Is OCSP and Why Does It Matter for SSL?

When a browser connects to an HTTPS site, it doesn't just verify the certificate is valid — it also checks whether the certificate has been revoked before its natural expiry. The primary mechanism for this is the Online Certificate Status Protocol (OCSP).

Why Revocation Exists

A certificate may need to be revoked before its expiry date if the private key is compromised, the domain changes ownership, or the CA makes an issuance error. The certificate revoked error is what users see when a browser detects this.

How OCSP Works

1. The CA embeds the URL of its OCSP responder in the certificate's Authority Information Access extension.
2. When your browser validates a certificate, it sends the certificate's serial number to that URL.
3. The OCSP responder replies with a signed status: good, revoked, or unknown.
4. If the response is "revoked", the browser rejects the connection.

The Privacy Problem

Every OCSP check tells the CA which site you're visiting and when. This is a meaningful privacy leak. It also introduces latency — the browser has to wait for an external server before loading your page.

OCSP Stapling

OCSP stapling solves both problems. Instead of the browser querying the CA, the web server periodically fetches a signed OCSP response and "staples" it to the TLS handshake. The browser gets the revocation status directly from the server — no external request, no privacy leak, and faster page loads.

CRL: The Alternative

Before OCSP, the primary revocation mechanism was the Certificate Revocation List (CRL) — a periodically published list of revoked serial numbers. CRLs are large files that get unwieldy for high-volume CAs. OCSP was designed to be a lighter, real-time alternative.

Checking Revocation Status

Our SSL Certificate Decoder shows the OCSP responder URL from the Authority Information Access extension, so you can see exactly where a browser would query for revocation status on any certificate you decode.