Revocation Status: a beginner's guide

Certificate revocation is the system browsers use to check whether a particular SSL certificate has been invalidated before its expiry date — for example, because the private key was compromised or the company that owned the cert went out of business. There have historically been two mechanisms: bulk CRLs (Certificate Revocation Lists) and per-cert OCSP (Online Certificate Status Protocol) queries to the issuing CA. As of 2026, the ecosystem is mid-migration away from OCSP for privacy reasons. Let's Encrypt — the largest public CA — shut down its OCSP responders on 2025-08-06 and now publishes only CRLs. Firefox 137+ ships CRLite (a compressed all-revocations filter). Chrome uses CRLSets (a small push list of high-priority revocations) and stopped soft-failing OCSP for EV in 2022. For any cert issued by Let's Encrypt today, there is no OCSP responder to call — the expected revocation method is CRL.

You should care because OCSP introduces a privacy and performance problem that the ecosystem is now actively retiring. Every time a visitor loads your HTTPS site, their browser is potentially making a separate OCSP request to the certificate authority's server — telling the CA which website the visitor is browsing. That is a privacy leak. It also adds latency: the page can't fully load until the OCSP response comes back. The fix is OCSP stapling, where the server fetches the OCSP response on behalf of the visitor and "staples" it to the TLS handshake. The visitor gets the validity proof without their browser ever talking to the CA, which is faster and more private at the same time.

The five things every revocation check looks at today:

• Which method does this CA still support? OCSP, CRL, or neither. Let's Encrypt is CRL-only as of 2025-08-06; DigiCert, Sectigo, and Google Trust Services still operate OCSP responders.

• Is OCSP stapling enabled on the server (where applicable)? For CAs that still issue OCSP, stapling avoids the per-visitor privacy leak and the latency cost. One line of web-server config.

• Is OCSP Must-Staple set on the certificate? A flag that requires stapling — Must-Staple certs from CAs that retired OCSP are effectively un-renewable.

• Is the CRL distribution point reachable? Modern certs increasingly carry `cRLDistributionPoints` extensions; Let's Encrypt CRLs are ~100KB, sharded by issuer.

• For browsers using local revocation databases (Firefox CRLite, Chrome CRLSets), is your CA covered? Revocations propagate via browser updates rather than instantly.

Three questions a revocation check answers today:

• Is my CA still operating OCSP, or have I quietly migrated into a CRL-based world?

• Do I have any Must-Staple certificates that are about to become un-renewable?

• Are my visitors' browsers actually able to detect revocations for my certs, given the post-OCSP ecosystem?

The cost of running on stale assumptions is misconfigured monitoring (alerting on OCSP failures for CAs that retired the service) and renewability traps (Must-Staple certs that can no longer be staple-served). The OCSP protocol is defined in RFC 6960; Let's Encrypt's deprecation timeline is at letsencrypt.org/2024/12/05/ending-ocsp.

In one sentence: Per-CA revocation method (OCSP (Online Certificate Status Protocol) vs CRL), responder URL (web address), and policy notes

Reports the expected revocation-checking method for a domain's SSL (Secure Sockets Layer) certificate based on its issuer. Tracks the post-2025 transition away from OCSP (Online Certificate Status Protocol) — Let's Encrypt shut down OCSP responders on August 6, 2025, and other CAs are following with their own timelines. Returns per-CA policy (OCSP, CRL, or none), responder liveness, and the responder URL (web address) when applicable. Does NOT perform a live revocation request (Cloudflare Workers cannot send raw DER-encoded OCSP requests).

Don't worry if some of the words above are still unfamiliar — there's a plain-language glossary at the bottom of this page, and most of the terms link to their own beginner guides if you want to learn more.

Here's what's actually happening behind the scenes when you call this endpoint:

Looks up the cert's issuer via CT data, matches it against a per-CA revocation policy table, and returns: expected_method (OCSP | crl | none), responder_active (boolean), deprecated_since (date, when applicable), and the inferred OCSP (Online Certificate Status Protocol) responder URL (web address). The policy note explains the transition status for that CA. For a live revocation check, use Qualys SSL (Secure Sockets Layer) Labs or a dedicated OCSP client.

If you're using an AI assistant through MCP, you don't need to understand any of the technical details — the assistant calls the tool and translates the result for you.

Let's skip the marketing fluff and answer the only question that actually matters: why should you, a real human with a real to-do list, care about the Revocation Status tool? Here's the plain-English version, written the way you'd hear it from a friend who happens to do this for a living.

Certificate revocation checking is in transition. With Let's Encrypt and other CAs moving from OCSP (Online Certificate Status Protocol) to CRL-based revocation, this endpoint helps identify which domains still rely on OCSP responders and which have transitioned. OCSP stapling verification remains relevant for servers that still support it.

Picture this in real life. Imagine a security operations. Here's the situation they're walking into: Monitor certificate revocation status to detect compromised or misissued certificates. Without the right tool, that person would be stuck copy-pasting between five browser tabs, reading documentation written for engineers, and crossing their fingers that the answer they cobble together is correct. With the Revocation Status tool, the same person gets a clear answer in seconds — no spreadsheets, no guessing, no waiting for someone on the infrastructure team to free up.

Three questions this tool answers in plain English. If any of these have ever crossed your mind, the Revocation Status tool is built for you:

• Is my website encrypted properly, or are visitors going to see a scary browser warning?

• Am I missing any of the security headers that modern browsers expect?

• Could a known weakness on my site quietly be costing me trust, traffic, or compliance?

You can either click the tool and get the answer yourself, or ask your AI assistant — connected through MCP (Model Context Protocol) — to ask the question for you and translate the answer into something you can paste into Slack.

Who gets the most out of this. Founders and freelancers running their own sites, agencies handing off projects to clients, security and compliance teams chasing audit findings, and developers hardening login pages. If you see yourself in that list, this is one of the EdgeDNS tools you should bookmark today.

What happens if you skip this entirely. Skip it and visitors get browser warnings, search engines lose trust in your site, and a single missed setting can become a public security incident. That's why running this check — even once a month — is one of the cheapest forms of insurance you can give your domain.

If you're still on the fence about whether the Revocation Status tool belongs in your toolbox, this section is for you. Below you'll meet three real people — a security operations, a performance engineer, and a security architect — facing three real situations where this tool turns a stressful afternoon into a five-minute task. Read whichever story sounds closest to your week.

Story 1: Certificate Revocation Monitoring

Imagine you're a security operations. Monitor certificate revocation status to detect compromised or misissued certificates.

Why it matters: Detect certificate revocation before it causes user-facing issues.

Story 2: Performance Optimization

Imagine you're a performance engineer. Verify OCSP (Online Certificate Status Protocol) stapling is enabled to reduce TLS (Transport Layer Security) handshake latency.

Why it matters: Improve TLS (Transport Layer Security) performance by confirming stapling configuration.

Story 3: OCSP Deprecation Assessment

Imagine you're a security architect. Audit which domains still depend on OCSP (Online Certificate Status Protocol) responders versus CRL-based revocation in a post-Let's Encrypt OCSP world.

Why it matters: Plan certificate revocation strategy as the industry transitions away from OCSP (Online Certificate Status Protocol).

Common situations across teams. Beyond the three stories above, here are the everyday workplace moments when people across the company reach for the Revocation Status tool — or one of the tools right next to it in this category. If any of these are on your calendar this month, that's your sign:

• After every site redesign or platform migration.

• Before a penetration test, security review, or vendor questionnaire.

• When your SSL certificate is about to expire and you want to confirm the renewal worked.

• On a recurring monthly schedule, so you catch new issues before attackers do.

If you can see yourself in even one of those bullets, the Revocation Status tool will pay for itself the first time you use it.

Still not sure? Here's the easiest test in the world. Open Claude, ChatGPT, Gemini, or any other AI assistant connected to the EdgeDNS MCP server and ask, in your own words: "Is the Revocation Status tool useful for my job?" The assistant will look at the tool, ask you a couple of follow-up questions about what you're trying to accomplish, and give you a straight answer in plain English. No commitment, no signup forms, no jargon.

If you've connected the EdgeDNS MCP server to Claude, ChatGPT, Gemini, Cursor, or any other AI assistant, you don't need to write any code. Just ask in plain English:

"Use the Revocation Status tool to check example.com and explain anything that looks wrong in plain language."

The AI will figure out which tool to call, fill in the right parameters, run it, and then explain the result back to you. No copy-pasting between tabs. No reading raw JSON. No memorizing endpoint names.

If you're a developer and want to call the endpoint from a script or your own application, here's the simplest possible example. Replace the placeholder API key with the real one from your dashboard.

You need to provide 2 pieces of information when you call this tool. The table below lays them out side by side, with a real example for each one so you can see exactly what to send.

When you call this tool, you'll get back a JSON object with the fields below. If you're talking to it through an AI assistant, the assistant reads these for you and explains them in plain language — you don't need to memorize them.

These tools pair naturally with Revocation Status. If you're already running this check, the related ones often answer the next question that comes up:

• SSL Certificates — Analyze active SSL/TLS certificate details

• Certificate Chain — Validate SSL certificate chain

• CT Logs — Search Certificate Transparency logs

If you're using an AI assistant through MCP (Model Context Protocol), you can ask it to run several of these in one go: "Check Revocation Status and the related tools for example.com and tell me what looks off."

If any words on this page felt like jargon, here's a plain-language version. Click any linked term to read a full beginner-friendly guide.

URL (web address) — The full address of a page, like https://example.com/about.

SSL (Secure Sockets Layer) — The original encryption used by HTTPS. The name stuck even though every modern site actually uses TLS, the newer replacement.

TLS (Transport Layer Security) — The encryption that puts the 'S' in HTTPS. It scrambles data so nobody between you and a website can read it.

OCSP (Online Certificate Status Protocol) — A way for your browser to ask 'is this HTTPS certificate still valid, or has it been revoked?' before trusting it.