Online Certificate Status Protocol

Online Certificate Status Protocol (OCSP) provides applications a way to determine the revocation status for a digital certificate. Certificate revocation status that is checked via OCSP provides more up-to-date status information than is available through CRLs.

The implementation of OCSP revocation status checking is done in accordance with RFC 2560. OCSP certificate revocation status checking is available for the end entity certificate. Protocol version 1 over HTTP and the basic response type are supported.

Certificate revocation status is checked by an application via OCSP when at least one of the following conditions are true:

A URL address of an OCSP responder is configured.
Authority Information Access (AIA) checking is enabled and the certificate to be validated has an AIA extension. The AIA extension must contain a PKIK_AD_OCSP access method with a URI that indicates the HTTP location of the OCSP responder.
Note: Only the first OCSP responder that is identified in the AIA extension is queried for revocation status.

When URL and AIA checking are enabled, AIA checking is only done if the query sent to the URL responder results in undetermined revocation status.