Revocation Status
developer/v1/domain/ocspReports the *expected* revocation-checking method for a domain's SSL certificate based on its issuer. Tracks the post-2025 transition away from OCSP — Let's Encrypt shut down OCSP responders on August 6, 2025, and other CAs are following with their own timelines. Returns per-CA policy (OCSP, CRL, or none), responder liveness, and the responder URL when applicable. Does NOT perform a live revocation request (Cloudflare Workers cannot send raw DER-encoded OCSP requests).
What It Does
Looks up the cert's issuer via CT data, matches it against a per-CA revocation policy table, and returns: expected_method (ocsp | crl | none), responder_active (boolean), deprecated_since (date, when applicable), and the inferred OCSP responder URL. The policy note explains the transition status for that CA. For a live revocation check, use Qualys SSL Labs or a dedicated OCSP client.
Why It's Useful
Certificate revocation checking is in transition. With Let's Encrypt and other CAs moving from OCSP to CRL-based revocation, this endpoint helps identify which domains still rely on OCSP responders and which have transitioned. OCSP stapling verification remains relevant for servers that still support it.
Use Cases
Certificate Revocation Monitoring
Monitor certificate revocation status to detect compromised or misissued certificates.
Detect certificate revocation before it causes user-facing issues.
Performance Optimization
Verify OCSP stapling is enabled to reduce TLS handshake latency.
Improve TLS performance by confirming stapling configuration.
OCSP Deprecation Assessment
Audit which domains still depend on OCSP responders versus CRL-based revocation in a post-Let's Encrypt OCSP world.
Plan certificate revocation strategy as the industry transitions away from OCSP.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
domain | string | Required | The domain to check OCSP status forExample: example.com |
port | number | Optional | Port to connect to (default: 443)Example: 443 |
Response Fields
| Field | Type | Description |
|---|---|---|
domain | string | The queried domain |
port | number | The port used for connection |
tlsVerified | boolean | Whether the TLS handshake succeeded (certificate trusted by Cloudflare) |
issuer | string | null | Issuer name surfaced from CT data (context for the policy lookup) |
expected_method | string | Expected revocation-check method for this CA: "ocsp" | "crl" | "none". Drives client expectations rather than reporting a live revocation status. |
responder_active | boolean | null | Whether the CA still operates an OCSP responder (per 2026-05 policy snapshot). null when issuer is unknown. |
deprecated_since | string | null | ISO date the CA retired OCSP (e.g., 2025-08-06 for Let's Encrypt). null when still active. |
ocspResponder | string | null | OCSP responder URL inferred from the issuer (null if CA retired OCSP or isn't in our policy table) |
ocspDeprecated | boolean | Convenience boolean — true when this CA has deprecated OCSP entirely. |
policy_note | string | Per-CA policy explanation (what to expect for revocation checks from this CA). |
revocation_endpoints | object | null | Phase 2: { ocsp[], crl[], source }. When source="x509-extension", OCSP URLs come from the leaf cert's AuthorityInfoAccess and CRL URLs from cRLDistributionPoints — works for any CA, not just the 11 in our hardcoded map. Falls back to source="heuristic-fallback" when X.509 parse failed. |
must_staple | boolean | Phase 2: parsed from the TLS Feature OID (1.3.6.1.5.5.7.1.24) value 5. true means the cert requires OCSP stapling. |
must_staple_warning | string | null | Phase 2: fires when a Must-Staple cert lives under a CA that retired OCSP (e.g., Let's Encrypt post-2025-08-06). Such certs cannot be replaced as Must-Staple without changing CA — surfaced as a hard upcoming-renewal blocker. |
note | string | Human-readable explanation of the check result |
limitations | array | Environment limitations for this check |
Code Examples
curl "https://api.edgedns.dev/v1/domain/ocsp" \
-H "Authorization: Bearer YOUR_API_KEY" \
-d "domain=example.com"const response = await fetch(
'https://api.edgedns.dev/v1/domain/ocsp?domain=example.com',
{
headers: {
'Authorization': 'Bearer YOUR_API_KEY'
}
}
);
const data = await response.json();
console.log(data);import requests
response = requests.get(
'https://api.edgedns.dev/v1/domain/ocsp',
headers={'Authorization': 'Bearer YOUR_API_KEY'},
params={
'domain': 'example.com'
}
)
data = response.json()
print(data)Read the full Revocation Status guide
Why it matters, real-world use cases, parameters, response fields, and how to call it from Claude, ChatGPT, or Gemini via MCP.
Read the guide →Related Endpoints
External References
Learn more about the standards and protocols behind this endpoint.
Try This Endpoint
Test the Revocation Status endpoint live in the playground.