Online Certificate Status Protocol (OCSP) vs Certificate Revocation Lists (CRLs)

Online Certificate Status Protocol (OCSP) and Certificate Revocation Lists (CRLs) are two methods of maintaining Certificate Lifecycle Management (CLM) for your organization. But before getting into which method is the best, let’s discuss why you should be even using CLM in the first place.
As you might know, when using HTTP/S in the websites managed by organizations, SSL certificates are deployed which organizations gain from a Certificate Authority(CA) which validates if the certificate is legitimate or not. These certificates however, have a validity period for which they stay active and encrypt all the communications to and from the server protecting user activity online from bad actors and Man in the Middle (MitM) attacks.
After expiration of the said certificate, a new certificate has to issued and the previous certificate has to be blacklisted so that it is not used for any future communications. To maintain records of such activities, organizations are required to use CLM.
Online Certificate Status Protocol (OCSP) is an Internet protocol which enables applications to determine the revocation state of identified certificates without the use of Certificate Revocation Lists (CRLs). With OCSP, it is possible to gain more timely information of the revocation status than is possible with CRLs.
An OCSP client sends a status request to an OCSP responder and waits to accept the certificates until the responder provides a response.
Upon receiving the request, the OCSP responder checks if the predefined conditions are met. These conditions are:
It returns a definitive response if all of the above conditions are met, and produces an error message otherwise.
An OCSP response can be of various types, but there is only one kind of OCSP response is supported by all OCSP servers and clients. A basic OCSP response contains the following information:
Good
A certificate status of “good” shows that the certificate is valid for use. At a minimum, this shows that a certificate with the corresponding serial number and validity period hasn’t been revoked.
Revoked
The “revoked” state indicates that the certificate has been revoked, either temporarily or permanently. If the CA has no record of ever having issued a certificate with the certificate serial number in the request, then this status may also be returned.
Unknown
The “unknown” state indicates that the responder doesn’t know about the certificate being requested, usually because the request indicates an unrecognized issuer that is not served by this responder.
The OCSP response is always signed by the CA to ensure no alteration occurs while the request is in transit.
OCSP Stapling improves performance by setting up a digitally-signed and time-stamped OCSP response on the webserver. This OCSP response is then refreshed at certain intervals set by the CA. The stapled OCSP response lets the web server include the OCSP response within the initial SSL handshake, without the user needing to make a separate connection to the CA.
A Certification Revocation List (CRL) is a list of digital certificates that have been revoked by the issuing Certificate Authority (CA) before their scheduled expiration date and should no longer be trusted. There are two different states of revocation defined:
In this state, a certificate is revoked irreversibly and cannot be reinstated. The reason for revocation could be any of the following:
The most common reason for revocation is that the private key for the user has been compromised.
A certificate that is put into a hold state is suspended temporarily and may be reinstated if needed. Putting a certificate on hold could occur for several reasons, for example if a private key that was previously thought to be lost was found, the status can be reinstated and the certificate will become valid again.
A CRL essentially functions as a blacklist for certificates. A browser makes a GET request to an HTTPS enabled page, the CA receives the request, and then returns a list of all the revoked certificates. The browser then parses the CRL to ensure that the certificate of the requested site isn’t contained within it.
When a browser wants to retrieve a CRL for a certificate, it retrieves it from a specified CRL Distribution Point (a CRL Distribution Point (CDP) is an X.509 v3 certificate extension). To put it in simple terms, a CRL distribution point is a shared location on the network that is used to store the CRL and certificates. It is also possible to have two distribution points, one pointing to the HTTP CRL location with the other pointing to the LDAP CRL location. Both distribution points HTTP and LDAP could be pointing to the same CRL.
Using a CRL is the next best way of maintaining a certificate lifecycle if, for some reason, OCSP is not available.
OCSP | CRL |
---|---|
OCSP can be used to get the status of a single certificate. | A CRL is a list with multiple lines that has to be downloaded by the browser. |
Status of a certificate is fetched by making a request to an OCSP Responder. | A CRL is distributed using a CDP point which can be an HTTP link or an LDAP server. |
Has less effect on the client and network resources. | Has a big effect on client resources. |
Is the industry standard for Certificate Lifecycle Management currently. | Used to be the only solution for Certificate Lifecycle Management. |
February 21, 2025
October 9, 2024