OCSP Stapling and Certificate Transparency
Configure OCSP stapling for performance and understand Certificate Transparency logs for auditability.
CRL Problems
Certificate Revocation Lists (CRLs) are files published by CAs listing all revoked certificates. CRLs suffer from several problems: they grow large over time, clients must download them completely, they have limited freshness (published on a schedule), and browsers historically soft-failed (accepted certificates) when CRL fetching failed, making revocation unreliable in practice.
OCSP for Real-Time Status Checks
The Online Certificate Status Protocol (OCSP, RFC 6960) allows clients to query a CA's OCSP responder in real time for the revocation status of a specific certificate. An OCSP response states the certificate is "good," "revoked," or "unknown" and is signed by the CA. This is more efficient than downloading an entire CRL.
All lessons in this course
- OpenSSL Command-Line Essentials
- Creating and Managing Certificate Chains
- OCSP Stapling and Certificate Transparency
- Let's Encrypt and ACME Protocol Automation