Skip to content

OCSP Server

Revocation is a fundamental process to fully manage a certificate. Having a mechanism to void a certificate in case that has been compromised is a paramount feature for any CA. This process consist in marking a certificate as a “non-valid” anymore by the CA (from a legit user request or at CA’s discretion). However, how to check if a certificate is still valid? Certificates are inmutable, they cannot be modified, never. Thus, this “revoked mark” is not placed in the certificate, but in the CA servers.

There are two ways to check the validity of a certificate:

  1. By using public lists, the Certification Revocation List (CRL). A CRL is a file that can be download from the CA servers, which stores all serials of revoked certificates. The URL of CRL file is appended in the certificate during the issuing process. Thus, anyone can inspect the certificate and obtain the CRL to check wether the certificate is revoked or not. However, if the CA issues lots of certificates, the CRL may grow up rapidly, making unfeasible downloading a file of thousands megabytes every time you want to check it. Furthermore, not all CA update their CRL quickly. CRL are usually updated periodically between few days or hours. During this period, the certificate is still valid, despite the user requested to revoke it.
  2. To solve the previous approach, the Online Status Certificate Protocol (OCSP) was proposed. OCSP is a service provided by the CA to communicate with its servers and ask for the status of a particular certificate. The approach is very simple: “Hey, CA! Is the certificate from Pol Henarejos with the serial number A382B2811F still valid?” and the CA replies “Yeah! You are safe.” or “NO, GO AWAY WITHOUT LOOKING BEHIND”.

The URL of OCSP server, like CRL, is stored in the certificate. Thus, anyone can check wether a certificate is valid just by making a query to the OCSP server.

From now on, all certificates issued by CASTLE CA contain the URL of the OCSP server and it is open to check the status of any certificate by standardized tools (such as OpenSSL or LibreSSL).

With this announcement, we are opening the way of making easier the S/MIME validation.

Related Posts

New backend

We modified the backend to use a more robust approach. At backend, the RA (Registration Authority) has an IMAP client listening permanently for incoming emails… Read More »New backend

Thunderbird Authenticator

We released a new authenticator: Thunderbird. If you use Thunderbird email client you are lucky. Like with Outlook MAPI Authenticator, it is possible to perform… Read More »Thunderbird Authenticator

Public Certificate Repository

TLS certificates have Certificate Transparency mechanism to promote the transparency of the Web. Thanks to loggers and monitors, every day thousand of certificates are analyzed… Read More »Public Certificate Repository