Online Certificate Status Protocol
Online Certificate Status Protocol (OCSP) provides applications a way to determine the revocation status for a digital certificate. Certificate revocation status that is checked via OCSP provides more up-to-date status information than is available through CRLs.
The implementation of OCSP revocation status checking is done in accordance with RFC 2560. OCSP certificate revocation status checking is available for the end entity certificate. Protocol version 1 over HTTP and the basic response type are supported.
- A URL address of an OCSP responder is configured.
- Authority Information Access (AIA) checking is enabled and the certificate to be validated has
an AIA extension. The AIA extension must contain a PKIK_AD_OCSP access method with a URI that
indicates the HTTP location of the OCSP responder.Note: Only the first OCSP responder that is identified in the AIA extension is queried for revocation status.
Client sessions with certificate status request processing enabled can ask the server session to send a stapled OCSP response as part of session negotiation for TLS protocols TLSv1.3 and TLSv1.2. The client session processes the stapled OCSP response from the server eliminating the need for the client to query an OCSP responder for certificate revocation status. A server session must also enable certificate status request processing in order to support OCSP stapling when requested by a client application.