The Online Certificate Status Protocol (OCSP) provides a way to verify the status of certificates, for example when establishing VPN connections. The devices use this protocol to investigate whether the issuer has revoked the certificate before its expiry, so marking it as invalid.
Certificate issuers update the status of all issued certificates on a special server, the OCSP responder. The OCSP client (e.g. a VPN
router that wants to establish a connection) uses the HTTP protocol to send an OCSP request to the responder to verify the
certificate. The responder answers with a signed response, which the OCSP client uses to verify its validity. The message from the
OCSP responder describes one of the following conditions:
- Good: The verified certificate has not been revoked.
- Revoked: The verified certificate has been revoked and may not be used to establish VPN connections.
- Unknown: The OCSP responder cannot determine the status of the certificate. This may be because the OCSP responder does not recognize the certificate issuer because the certificate has been faked and therefore has not been entered into the database of the OCSP responder.
You can use the OCSP to complement or substitute certificate verification by certificate revocation lists (CRL). OCSP offers the
following advantages when compared to CRLs:
- The issuers generate the CRLs at specific time intervals and, in the ideal case, distribute the CRLs to the devices which use the certificates for establishing VPN connections. The reliability of this check thus depends on the speed with which CRLs in the devices are updated. However, certificate verification through an OCSP responder is always "online", i.e. it is automatically updated. The operator of the OCSP responder can automatically synchronize their data with that of the CA or CAs, thus ensuring that they are up to date at all times.
- Using certificate revocation lists for certificate verification takes up a considerable amount of device memory, especially if the CRLs are large. Querying certificate status from an OCSP responder, on the other hand, is independent of the number of CAs and certificates being used, and is therefore more scalable.
- As the CRL method does not allow for unknown certificates, this method cannot detect fake certificates. The OCSP responder, depending on its configuration, responds to a request about an unknown certificate with a negative evaluation.
