OCSP Status: a beginner's guide

OCSP stands for Online Certificate Status Protocol. It is the system browsers use to check, in real time, whether a particular SSL certificate has been revoked by its issuing certificate authority. Revocation matters because certificates can be valid (within their date range) but no longer trustworthy — for example, if the private key was compromised or the company that owned the cert went out of business. Without OCSP, the only way to handle revocation would be giant Certificate Revocation Lists (CRLs) that browsers would have to download every few hours. OCSP replaced that with a per-certificate query: when a browser sees a cert, it makes a quick HTTP request to the OCSP responder asking, "is this cert still good?"

You should care because OCSP introduces a privacy and performance problem that most websites don't realize they have. Every time a visitor loads your HTTPS site, their browser is potentially making a separate OCSP request to the certificate authority's server — telling the CA which website the visitor is browsing. That is a privacy leak. It also adds latency: the page can't fully load until the OCSP response comes back. The fix is OCSP stapling, where the server fetches the OCSP response on behalf of the visitor and "staples" it to the TLS handshake. The visitor gets the validity proof without their browser ever talking to the CA, which is faster and more private at the same time.

The four things every OCSP check looks at:

• Is OCSP stapling enabled on the server? Most modern web servers support it; it just has to be turned on in the config.

• Is the stapled response current? OCSP responses have their own expiry; a stale response is treated as no response.

• Does the server fall back gracefully if the OCSP responder is unreachable? Some servers cache the last known-good response; others fail.

• Is OCSP Must-Staple set on the certificate? This is a flag in the certificate itself that requires stapling — making it impossible for an attacker who steals the key to use it without also being able to staple a valid OCSP response.

Three questions an OCSP check answers:

• Am I leaking my visitors' browsing history to my certificate authority?

• Is my page-load latency suffering because OCSP requests are not stapled?

• Is OCSP stapling configured correctly, or did the last server upgrade silently break it?

The cost of skipping OCSP stapling is small but persistent: a privacy leak on every connection, plus a performance hit on the first byte of every page load. The fix is one line in the web-server config. This is one of those small details that distinguishes a properly tuned server from a default one. The OCSP protocol itself is defined in RFC 6960.

In one sentence: Check TLS (Transport Layer Security) certificate trust and OCSP (Online Certificate Status Protocol) responder information

Checks the OCSP (Online Certificate Status Protocol) revocation status for a domain's SSL (Secure Sockets Layer) certificate. Note: OCSP is being deprecated industry-wide — Let's Encrypt ended OCSP support in August 2025, shifting to CRL-based revocation per the official internet standard. Many CAs still support OCSP, making this check valuable for transition monitoring.

Don't worry if some of the words above are still unfamiliar — there's a plain-language glossary at the bottom of this page, and most of the terms link to their own beginner guides if you want to learn more.

Here's what's actually happening behind the scenes when you call this endpoint:

Performs a TLS (Transport Layer Security) handshake to verify the certificate is trusted by Cloudflare's TLS stack, then identifies the CA's OCSP (Online Certificate Status Protocol) responder URL (web address) from known issuer patterns. Detects whether the CA has deprecated OCSP (e.g., Let's Encrypt since August 2025). Note: Direct OCSP queries and stapling detection are not available in this environment. For full revocation checking, use Qualys SSL (Secure Sockets Layer) Labs or a dedicated OCSP client.

If you're using an AI assistant through MCP, you don't need to understand any of the technical details — the assistant calls the tool and translates the result for you.

Let's skip the marketing fluff and answer the only question that actually matters: why should you, a real human with a real to-do list, care about the OCSP Status tool? Here's the plain-English version, written the way you'd hear it from a friend who happens to do this for a living.

Certificate revocation checking is in transition. With Let's Encrypt and other CAs moving from OCSP (Online Certificate Status Protocol) to CRL-based revocation, this endpoint helps identify which domains still rely on OCSP responders and which have transitioned. OCSP stapling verification remains relevant for servers that still support it.

Picture this in real life. Imagine a security operations. Here's the situation they're walking into: Monitor certificate revocation status to detect compromised or misissued certificates. Without the right tool, that person would be stuck copy-pasting between five browser tabs, reading documentation written for engineers, and crossing their fingers that the answer they cobble together is correct. With the OCSP Status tool, the same person gets a clear answer in seconds — no spreadsheets, no guessing, no waiting for someone on the infrastructure team to free up.

Three questions this tool answers in plain English. If any of these have ever crossed your mind, the OCSP Status tool is built for you:

• Is my website encrypted properly, or are visitors going to see a scary browser warning?

• Am I missing any of the security headers that modern browsers expect?

• Could a known weakness on my site quietly be costing me trust, traffic, or compliance?

You can either click the tool and get the answer yourself, or ask your AI assistant — connected through MCP (Model Context Protocol) — to ask the question for you and translate the answer into something you can paste into Slack.

Who gets the most out of this. Founders and freelancers running their own sites, agencies handing off projects to clients, security and compliance teams chasing audit findings, and developers hardening login pages. If you see yourself in that list, this is one of the EdgeDNS tools you should bookmark today.

What happens if you skip this entirely. Skip it and visitors get browser warnings, search engines lose trust in your site, and a single missed setting can become a public security incident. That's why running this check — even once a month — is one of the cheapest forms of insurance you can give your domain.

If you're still on the fence about whether the OCSP Status tool belongs in your toolbox, this section is for you. Below you'll meet three real people — a security operations, a performance engineer, and a security architect — facing three real situations where this tool turns a stressful afternoon into a five-minute task. Read whichever story sounds closest to your week.

Story 1: Certificate Revocation Monitoring

Imagine you're a security operations. Monitor certificate revocation status to detect compromised or misissued certificates.

Why it matters: Detect certificate revocation before it causes user-facing issues.

Story 2: Performance Optimization

Imagine you're a performance engineer. Verify OCSP (Online Certificate Status Protocol) stapling is enabled to reduce TLS (Transport Layer Security) handshake latency.

Why it matters: Improve TLS (Transport Layer Security) performance by confirming stapling configuration.

Story 3: OCSP Deprecation Assessment

Imagine you're a security architect. Audit which domains still depend on OCSP (Online Certificate Status Protocol) responders versus CRL-based revocation in a post-Let's Encrypt OCSP world.

Why it matters: Plan certificate revocation strategy as the industry transitions away from OCSP (Online Certificate Status Protocol).

Common situations across teams. Beyond the three stories above, here are the everyday workplace moments when people across the company reach for the OCSP Status tool — or one of the tools right next to it in this category. If any of these are on your calendar this month, that's your sign:

• After every site redesign or platform migration.

• Before a penetration test, security review, or vendor questionnaire.

• When your SSL certificate is about to expire and you want to confirm the renewal worked.

• On a recurring monthly schedule, so you catch new issues before attackers do.

If you can see yourself in even one of those bullets, the OCSP Status tool will pay for itself the first time you use it.

Still not sure? Here's the easiest test in the world. Open Claude, ChatGPT, Gemini, or any other AI assistant connected to the EdgeDNS MCP server and ask, in your own words: "Is the OCSP Status tool useful for my job?" The assistant will look at the tool, ask you a couple of follow-up questions about what you're trying to accomplish, and give you a straight answer in plain English. No commitment, no signup forms, no jargon.

If you've connected the EdgeDNS MCP server to Claude, ChatGPT, Gemini, Cursor, or any other AI assistant, you don't need to write any code. Just ask in plain English:

"Use the OCSP Status tool to check example.com and explain anything that looks wrong in plain language."

The AI will figure out which tool to call, fill in the right parameters, run it, and then explain the result back to you. No copy-pasting between tabs. No reading raw JSON. No memorizing endpoint names.

If you're a developer and want to call the endpoint from a script or your own application, here's the simplest possible example. Replace the placeholder API key with the real one from your dashboard.

You need to provide 2 pieces of information when you call this tool. The table below lays them out side by side, with a real example for each one so you can see exactly what to send.

When you call this tool, you'll get back a JSON object with the fields below. If you're talking to it through an AI assistant, the assistant reads these for you and explains them in plain language — you don't need to memorize them.

These tools pair naturally with OCSP Status. If you're already running this check, the related ones often answer the next question that comes up:

• SSL Certificates — Analyze active SSL/TLS certificate details

• Certificate Chain — Validate SSL certificate chain

• CT Logs — Search Certificate Transparency logs

If you're using an AI assistant through MCP (Model Context Protocol), you can ask it to run several of these in one go: "Check OCSP Status and the related tools for example.com and tell me what looks off."

If any words on this page felt like jargon, here's a plain-language version. Click any linked term to read a full beginner-friendly guide.

URL (web address) — The full address of a page, like https://example.com/about.

SSL (Secure Sockets Layer) — The original encryption used by HTTPS. The name stuck even though every modern site actually uses TLS, the newer replacement.

TLS (Transport Layer Security) — The encryption that puts the 'S' in HTTPS. It scrambles data so nobody between you and a website can read it.

OCSP (Online Certificate Status Protocol) — A way for your browser to ask 'is this HTTPS certificate still valid, or has it been revoked?' before trusting it.

RFC (Request for Comments) — The official internet standards documents. When someone says 'RFC 8484' they mean a specific numbered standards document — in that case, the one defining DNS over HTTPS.