Chapter 10. Online Certificate Status Protocol

Online Certificate Status Protocol is a technology which allows web browsers and web servers to communicate over a secured connection. In this the encrypted data is sent from one side and decrypted by the other side before processing. The web browser and the web server both encrypt and decrypt the data.

During communication with a web server, the server presents a set of credentials in the form of certificate. The browser then checks the certificate for its validity and sends a request for certificate status information. The server sends back a status as current, expired, or unknown. The certificate specifies syntax for communication and contains control information such as start time and end time, address information to access an OCSP responder. The web server can use an OCSP responder, it has been configured for, or the one listed in the certificate, to check the status. OCSP allows a grace period for expired certificates which allows access to a server for a limited time before renewing the certificate.

Online Certificate Status Protocol overcomes the limitation of older method, Certificate Revocation List (CRL). For more information on OCSP, see the Red Hat Certificate System Admin Guide and https://access.redhat.com/site/articles/417843.