OCSP & SSL Certificates — All You Need to Know About OCSP Protocol

We know you’re here to learn about an online certificate status protocol (OCSP) certificate (what you may call an OCSP certificate), but first, let’s take a moment to imagine you’re a web browser (yes, we’re serious).

In this scenario, one of your users types in the URL of an SSL-enabled website. Because you’re a browser, you’re supposed to visit the website, fetch it and show it to your user. So, how would you verify that the certificate of the website is valid? How do you know whether a certificate authority (CA) hasn’t revoked the certificate?

Both of these questions are quite important since an SSL certificate acts as the identity of the website. You must check the identity, right? As an obedient browser, you’re ready to do it.

But here comes a problem.

There are so many certificate authorities around the world, and you’d have to go to an individual certificate authority’s database and then verify each certificate there. That’s difficult as we’ll have tons of different databases, and you’ll have to go to a different one each time a user wants to visit a website. What if there was a system where all approved certificate authorities report the status of certificates issued by them? Your job would become much more comfortable, right? Well, there is. It’s called online certificate status protocol.

So, What Exactly is an OCSP Certificate?

Well, technically, there’s no such thing as an OCSP certificate. It’s just an SSL certificate. OCSP, or the online certificate status protocol (OCSP), is an internet protocol through which web browsers determine the revocation status of SSL/TLS certificates installed on websites. Although SSL/TLS certificates come with their validity period, they need to be revoked under certain situations. In these circumstances, it’s essential for browsers to know about the revocation. OCSP facilitates this by giving a “valid” or “revoked” status to the web browser. If the status is valid, the browser will deem the website valid and encrypt the data. And if the certificate has been revoked, the browser will display a warning to the user about the revocation. Simple, isn’t it?

How OCSP Works

This is what happens when a browser visits an SSL-enabled website:

1. The web server responds by sharing the SSL certificate installed on it.
2. Now that the browser has certificate details, it requests the corresponding certificate authority’s OCSP responder.
3. Now, the OCSP responder gives the response to the browser about whether the certificate is in a valid state or has been revoked.
4. The browser goes ahead with the website if the certificate is found to be valid and displays an error in case if the certificate has been revoked.

Potential Security Issues of OCSP

OCSP was introduced as an alternative to Certificate Revocation List (CRL) to mitigate performance issues encountered in the latter. Although it did help in eliminating those issues, it gave rise to a new set of security concerns.

As we learned, an OCSP responder server includes the certificate status of millions of SSL certificates. In case the OCSP server is down for any reason, millions of users around the world won’t be able to get the revocation status of the certificates, and they’ll have to proceed with HTTPS connection. As a result, the browsers will continue with the websites that have their certificates revoked. This, needless to say, is a security concern.

Cybercriminals might take advantage of this limitation by blocking connections to OCSP responders. They can use a stolen/fake certificate to fool users into giving their sensitive data.

OCSP Stapling: The Solution

It’s funny that OCSP, which was supposed to be the solution to CRL’s problem, introduced its own set of challenges. And not only that, OCSP, too — just like the CRL — put a significant burden on the web browser (client) to check the status of a certificate.

Here comes OCSP Stapling.

OCSP stapling, unlike CRL and OCSP, puts the status verification burden on web servers instead of the clients. Therefore, it’s the web server that connects with the OCSP responder on a regular basis to check the status of the certificate. Here’s how it works:

1. A web server connects with the OCSP responder to check the status of the SSL certificate (at regular intervals).
2. The OCSP responder responds to the web server by sending a time-stamped OCSP response signed by the certificate authority.
3. When a browser connects with the web server, the web server responds to the browser by sending the stapled (time-stamped) response in SSL/TLS handshake. In turn, the browser gets to know whether the certificate is valid or not.

Thanks to OCSP stapling, the security limitations of OCSP can be eliminated. Not only that, but it also saves load on the web browser as well as the OCSP responder, which results in faster overall performance.

Conclusion

The tale of OCSP is the perfect illustration of the world of internet security. OCSP, introduced to solve CRL’s problems, was found to have its own issues and had to be reinvented to make it work. OCSP stapling is an excellent solution to mitigate security concerns and provide browsers with an up-to-date status of certificates. Having said that, OCSP stapling also comes with its limitations. However, it’s the best solution that we have right now. If you have a web server, you must enable OCSP stapling on your web server.

Save Up 75% On Comodo SSL Certificates w/ Site Seals

Tip: You can typically save a significant amount by buying your SSL certificate direct instead of through your web hosting company. We sell all Comodo SSL certificates at up to 75% off.

Compare SSL Certificates