Follow

Q&A: What is OCSP?

 

Question

What is the purpose of OCSP and if it can be enabled using F5 Silverline Service?

 

Environment

  • SSL/TLS Certificates
  • PKI
  • OCSP
  • Silverline WAF/DDoS 
  • Proxies/Proxy

NOTE: 

OCSP Stapling cannot be enabled yet in Silverline

 

Answer

The abbreviation OCSP stands for Online Certificate Status Protocol.

The main purpose of OCSP was to create a better alternative for CRLs (Certificate Revocation Lists). OCSP goal was to provide status information faster, especially if certificate has been revoked. 

OCSP Protocol determines the rules based on which client (most frequently browser) sends and receives certificate status information.  If OCSP is supported during the TLS handshake, client sends a query to CA and should receive 1 of 3 digitally signed statuses:

  • unknown; means responder could not determine the status of the certificate. Most frequently because the request indicated an unrecognized issuer that is not served by the specific responder. The client can decide here if wants to use CRL.
  • good; means certificate having requested serial number is valid and is not revoked.
  • revoked; means certificate having requested serial number is temporarily or permanently revoked

 

Example of revoked certificate: 

The request for status is sent to URL defined in Authority Information Access (AIA). You have to check it in the intermediate certificate not server certificate. If you open a certificate this is where you find AIA section: 

mceclip0.png

If certificate is revoked you can see screen similar to the one below:

mceclip1.png

 

You can also use openssl to get the OCSP response:

openssl x509 -noout -ocsp_uri -in certificate.pem

 

Related Content

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request