/ˌoʊ.siːˈɛs.piː/
noun — "the real-time check that keeps digital certificates honest."
OCSP, short for Online Certificate Status Protocol, is a network protocol used to obtain the real-time revocation status of a digital certificate within a PKI framework. Unlike CRLs, which are periodically published lists, OCSP allows clients to query a Certificate Authority (CA) directly to verify whether a certificate is valid, revoked, or unknown.
Technically, a client sends a signed or unsigned OCSP request containing the certificate’s serial number to an OCSP responder hosted by the CA. The responder returns a digitally signed response indicating the certificate status: “good,” “revoked,” or “unknown.” This real-time verification reduces the latency and uncertainty inherent in relying solely on CRLs.
Key characteristics of OCSP include:
- Real-time verification: provides up-to-date certificate status.
- Signed responses: ensure authenticity and integrity of the status information.
- Lightweight: avoids downloading large CRLs by querying only the needed certificate.
- Integration: used by web browsers, email clients, and secure applications.
- Complementary to CRLs: enhances PKI trust management.
In practical workflows, clients like browsers or VPN software send OCSP requests when establishing secure connections to validate certificates in real time. Administrators configure OCSP responders and ensure high availability to maintain continuous trust in certificate-based communications.
Conceptually, OCSP is like a live verification desk at the door: instead of waiting for a list of revoked IDs, it checks instantly whether a certificate is trustworthy.
Intuition anchor: OCSP keeps certificate trust dynamic and current, preventing compromised keys from slipping through.