Browse Encryption and Key Management

Online Certificate Status Protocol

Encryption-and-Key-Management

The Online Certificate Status Protocol is a way for systems to check whether a certificate has been revoked without relying only on expiration dates.

On this page

The Online Certificate Status Protocol, usually called OCSP, is a way for systems to check whether a certificate has been revoked. In plain language, it lets a client ask a trusted responder whether a certificate should still be accepted right now.

Why It Matters

OCSP matters because certificates can become unsafe before their expiration date. Systems need some way to learn about revoked certificates instead of assuming that every not-yet-expired certificate is still valid.

It also matters because revocation checking affects how trustworthy a certificate-based connection really is in practice.

OCSP also matters operationally because revocation data has to be distributed somehow. A PKI program is not complete when it issues certificates; it also needs a dependable way for relying systems to learn when trust has been withdrawn.

Where It Appears in Real Systems or Security Workflow

OCSP appears in TLS, browser trust checks, enterprise PKI deployments, and certificate-based authentication systems. Teams connect it to Certificate Revocation, Digital Certificate, Certificate Authority, and Public Key Infrastructure.

It is part of the larger question of how trust status is distributed after certificates have already been issued.

Security teams often evaluate OCSP behavior when reviewing browser trust, certificate-based access systems, or enterprise PKI resilience. If the responder is unavailable, slow, or inconsistently checked, the security value of revocation can degrade.

How an OCSP Check Fits Into Trust

Diagram showing a server presenting a certificate, a client checking status with an OCSP responder, and the client then allowing or blocking the connection based on the reply.
OCSP inserts a live certificate-status check between certificate presentation and the final trust decision.
OCSP resultWhat it meansTypical trust outcome
GoodThe responder has not marked the certificate revokedThe client can continue with the rest of validation
RevokedTrust has been withdrawn earlyThe connection or authentication attempt should be rejected
UnknownThe responder cannot confirm status for that certificateThe client falls back to its policy or treats the trust decision as failed

Practical Example

When a browser connects to a secure website, it may check whether the site’s certificate has been revoked before fully trusting the connection. That lookup can happen through OCSP or related validation mechanisms.

Common Misunderstandings and Close Contrasts

OCSP is not the same as the certificate itself. The certificate proves identity and trust relationships, while OCSP helps answer whether that certificate is still considered valid.

It is also different from Certificate Revocation as a decision or administrative action. OCSP is a way to communicate revocation status to relying systems.

It is also not the only revocation-checking approach. Some environments use certificate revocation lists, while others rely on techniques such as stapled status responses to reduce lookup overhead or improve privacy.

Knowledge Check

  1. What question does OCSP help a client answer? Whether a certificate that was already issued should still be trusted right now.
  2. Why does OCSP matter even when a certificate is not expired yet? Because a certificate can become unsafe before its scheduled expiration date.
mTLS
Perfect Forward Secrecy