Stay organized with collections
Save and categorize content based on your preferences.
Implement a delegated OCSP responder
This document provides information about the Online Certificate Status Protocol (OCSP)
responder that you can use to check the revocation status of certificates
issued using Certificate Authority Service. For more information about the tool, see OCSP responder for
CA Service.
What is Online Certificate Status Protocol (OCSP)?
OCSP is a protocol for obtaining the revocation status for
an X.509 certificate. When a user requests information about the validity of a
certificate, a request is sent to an OCSP responder. The OCSP responder checks
the status of the certificate with a trusted certificate authority (CA) and
sends back an OCSP response.
Why use a delegated OCSP responder?
Tracking certificate revocation status using OCSP can have many benefits.
These include quicker response time and smaller requirement for network
bandwidth, as compared to Certificate Revocation Lists (CRLs), which can get
quite large.
How does the OCSP responder work?
The OCSP responder pre-generates an OCSP response
for each certificate that a particular CA issues. The pre-generated
responses are saved as individual files in a Cloud Storage bucket.
You can deploy a Cloud Run service that regenerates these files
on-demand or on a schedule. The Cloud Run service is essentially the
frontend for the OCSP server.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-03-05 UTC."],[[["This document outlines how to implement a delegated Online Certificate Status Protocol (OCSP) responder for checking the revocation status of certificates issued by Certificate Authority Service."],["OCSP is a protocol used to obtain the revocation status of X.509 certificates, offering benefits such as quicker response times and reduced network bandwidth compared to Certificate Revocation Lists (CRLs)."],["The OCSP responder pre-generates responses for each certificate issued by a CA, saving them as files in a Cloud Storage bucket."],["A Cloud Run service acts as the frontend for the OCSP server, with the ability to regenerate these files on demand or on a schedule."],["Cloud CDN can be used to forward requests to Cloud Run and cache OCSP responses, enhancing the efficiency of the system."]]],[]]
