M NEXUS INSIGHT
// education

What is an OCSP responder?

By Jessica Cortez

What is an OCSP responder?

The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X. 509 digital certificate. The “request/response” nature of these messages leads to OCSP servers being termed OCSP responders. Some web browsers use OCSP to validate HTTPS certificates.

How do I check my OCSP responder?

You need to perform the following steps:

  1. Obtain the certificate that you wish to check for revocation.
  2. Obtain the issuing certificate.
  3. Determine the URL of the OCSP responder.
  4. Submit an OCSP request and observe the response.

How do you set up an OCSP responder?

Solution

  1. Locate the OCSP Response Signing Certificate > Properties.
  2. Security Tab > Add in the server that will be hosting the OCSP service, (I always use the same server that’s serving my CRL).
  3. Grant the server read and enroll rights > Apply > OK.
  4. Then issue the OCSP Responder Template.

What is the difference between CRL and OCSP?

Certificate Revocation List (CRL) – A CRL is a list of revoked certificates that is downloaded from the Certificate Authority (CA). Online Certificate Status Protocol (OCSP) – OCSP is a protocol for checking revocation of a single certificate interactively using an online service called an OCSP responder.

What is online responder used for?

The Online Responder Web proxy decodes and verifies the request. If the request is valid, the Web proxy cache is checked for the revocation information needed to fill the request. If current information is not available in the cache, the request is forwarded to the Online Responder service.

What bind digital certificate to a user?

Digital certificates are electronic credentials that bind the identity of the certificate owner to a pair of electronic encryption keys, (one public and one private), that can be used to encrypt and sign information digitally.

How do you know if your OCSP has been stapled?

Check if OCSP stapling is enabled. Go to and in the Server Address box, type in your server address (i.e. ). If OCSP stapling is enabled, under SSL Certificate has not been revoked, to the right of OCSP Staple, it says Good.

How do I renew my OCSP certificate?

Look for any certificates with the OCSP Signing enhanced key usage (EKU) extension. Right-click the certificate, point to All Tasks, and then click Renew Certificate with New Key or Renew Certificate with Existing Key to start the Certificate Renewal Wizard. Use the wizard to complete the renewal process.

What is the main benefit of OCSP over CRL?

In comparison to CRL checking, OCSP requests contain far less data so are easier for networks to handle as systems do not have to download the latest list of every revoked signature whenever a certificate is checked.

How do I get an OCSP certificate?

Testing OCSP with Openssl

  1. Step 1: Get the server certificate. First, make a request to get the server certificate.
  2. Step 2: Get the intermediate certificate. Normally, a CA does not sign a certificate directly.
  3. Step 3: Get the OCSP responder for server certificate.
  4. Step 4: Make the OCSP request.

More in education

What is a bound control

How do you trade in guilds in Forge of Empires