Online Certificate Status Protocol

Online Certificate Status Protocol (OCSP) provides applications a way to determine the revocation status for a digital certificate. Certificate revocation status that is checked via OCSP provides more up-to-date status information than is available through CRLs.

The implementation of OCSP revocation status checking is done in accordance with RFC 2560. OCSP certificate revocation status checking is available for the end entity certificate. Protocol version 1 over HTTP and the basic response type are supported.

Certificate revocation status is checked on behalf of the application via OCSP when at least one of the following conditions are true:

• A URL address of an OCSP responder is configured.
• Authority Information Access (AIA) checking is enabled and the certificate to be validated has an AIA extension. The AIA extension must contain a PKIK_AD_OCSP access method with a URI that indicates the HTTP location of the OCSP responder.
  Note: Only the first OCSP responder that is identified in the AIA extension is queried for revocation status.

When URL and AIA checking are enabled, the URL responder is queried first. This order can be changed for an individual application by setting the Global Security Kit (GSKit) API attribute, GSK_OCSP_CHECK_AIA_FIRST. A query to the second responder is only sent if the query sent to the first responder results in an undetermined revocation status.

Client sessions with certificate status request processing enabled can ask the server session to send a stapled OCSP response as part of session negotiation for TLS protocols TLSv1.3 and TLSv1.2. The client session processes the stapled OCSP response from the server eliminating the need for the client to query an OCSP responder for certificate revocation status. A server session must also enable certificate status request processing in order to support OCSP stapling when requested by a client application.