Certificates like SSL, X.509 are used to secure network traffic. But every certificate has its own life cycle in a distributed environment like the internet we should manage them. Online Certificate Status Protocol aka OCSP is used to manage certificates validity and lifecycle.
OCSP standard is defined in RFC 6960 with the name of
X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP. It makes absolute previously defined certificate control protocol PKIX.
The Online Certificate Status Protocol (OCSP) enables applications to determine the (revocation) state of identified certificates. OCSP may be used to satisfy some of the operational requirements of providing more timely revocation information than is possible with CRLs and may also be used to obtain additional status information. An OCSP client issues a status request to an OCSP responder and suspends acceptance of the certificates in question until the responder provides a response.
When we try t make a request to the OCSP server following information must exist in an OCSP request.
- `Protocol Version`
- `Service Request`
- `Target Certificate Identifier`
OCSP Servers provides services by using OCSP protocol. A client can be interactively checked the X.509 or SSL certificate status. The check will be done with the certificate serial number.
We can see that the given certificate is valid between 16/12/2018 and 16/12/2019. If this certificate is stolen the OCSP can be used to make the certificate invalid before its valid dates.
OCSP Certificate Status Response
When a certificate status is checked following responses can be returned from the OCSP server like below.
- `Current` means the certificate is valid and can be used.
- `Expired` means the certificate is not valid and shouldn’t be used
- `unknown` means the certificate is not known which is generally occurs for self-signed certificates.
OCSP is Better Than Certificate Revocation List (CRL)
Before OCSP there was Certificate Revocation List aka CRL. CRL was a bunch of certificates which is invalid or expired for different purposes. Every client should download this CRL list for specified intervals. These mechanisms are not secure because
- An invalid certificate can be used without knowing that.
- CRL download intervals create security holes
- Downloading CRL is not practical and easy
- Downloading CRL, again and again, will consume bandwidth and storage for unnecessary things.