OCSP (Online Certificate Status Protocol) is an Internet protocol used to obtain the revocation status of an X.509 digital certificate. It is an alternative to CRLs (Certificate Revocation Lists) and provides real-time certificate status.

What does OCSP response 'good' mean?

An OCSP response of 'good' indicates that the certificate has not been revoked and is currently valid according to the Certificate Authority.

Why is my OCSP response 'unauthorized'?

An 'unauthorized' OCSP response typically means the OCSP responder doesn't recognize the certificate or the issuer certificate is incorrect. Make sure you're using the correct intermediate certificate.

OCSP Certificate Checker

Real-time Check X.509 RFC 6960

Anish Nath

OCSP Deprecation Notice - Let's Encrypt

Let's Encrypt is ending OCSP support in 2025 in favor of Certificate Revocation Lists (CRLs) for improved privacy. The sample certificates on this page use Let's Encrypt and will no longer work after OCSP shutdown.

Timeline:

Jan 30, 2025: OCSP Must-Staple requests will fail
May 7, 2025: New certificates won't include OCSP URLs
Aug 6, 2025: OCSP responders go offline

Read the official announcement

OCSP Query

Server Certificate

0 chars

Issuer Certificate

0 chars

Let's Encrypt OCSP ended August 2025

OCSP Response

OCSP response will appear here

Paste certificates and click Check OCSP Status

Performing OCSP query...

OpenSSL OCSP Commands

Extract OCSP URI from Certificate

# Get OCSP responder URL

$ openssl x509 -in cert.pem -noout -ocsp_uri

Perform OCSP Query

# Check certificate status via OCSP

$ openssl ocsp -issuer issuer.pem -cert cert.pem \
-url http://ocsp.example.com -resp_text

OCSP with CA Bundle

# Verify OCSP response signature

$ openssl ocsp -issuer chain.pem -cert cert.pem \
-CAfile ca-bundle.crt -url http://ocsp.example.com

Related Certificate Tools

Support This Free Tool

Every coffee helps keep the servers running. Every book sale funds the next tool I'm dreaming up. You're not just supporting a site — you're helping me build what developers actually need.

500K+ users

200+ tools

100% private

☕ One-time support Buy me a coffee 📚 Learn & support 9-Book Bundle - $9 Stay updated Follow @anish2good

Privacy Guarantee: Private keys you enter or generate are never stored on our servers. All tools are served over HTTPS.

Understanding OCSP

What is OCSP?

OCSP (Online Certificate Status Protocol) defined in RFC 6960 is an Internet protocol used for obtaining the revocation status of X.509 digital certificates. Unlike CRLs (Certificate Revocation Lists), OCSP provides real-time certificate status checking.

OCSP Response Status

Good

Certificate is valid and not revoked

Revoked

Certificate has been revoked by CA

Unknown

OCSP responder doesn't know this certificate

OCSP vs CRL

Feature	OCSP	CRL
Update Frequency	Real-time	Periodic
Bandwidth	Low (single cert)	High (full list)
Privacy	CA knows which certs you check	Better privacy
Availability	Requires online responder	Can be cached

Common OCSP Errors

Unauthorized: The OCSP responder doesn't recognize the issuer. Make sure you're using the correct intermediate certificate.
Try Later: The OCSP responder is temporarily unavailable. Retry after some time.
Signature Error: The OCSP response signature verification failed. The response may have been tampered with.

OCSP Certificate Checker

OCSP Deprecation Notice - Let's Encrypt

OCSP Query

OCSP Response

OpenSSL OCSP Commands

Related Certificate Tools

PEM Parser

Certificate Matcher

SSL Checker

SSL Info

Support This Free Tool

Understanding OCSP

What is OCSP?

OCSP Response Status

OCSP vs CRL

Common OCSP Errors

Quick Access

PGP Tools

Sharing Services

Security Tools

Cryptography

Network Tools

Legal & Compliance

DevOps/Container

Blockchain

Encoders/Converters

Developer Tools

Machine Learning Visualizers

Media Tools

Documents & PDF

Finance

Health

Lifestyle & Productivity

Chemistry

Math & Education

Physics Tools

Internationalization