OCSP (Online Certificate Status Protocol)

OCSP is an internet protocol used for obtaining the revocation status of an X.509 digital certificate without requiring Certificate Revocation Lists (CRLs).

What to Know

OCSP enables real-time verification that certificates haven’t been revoked due to compromise, policy violations, or other security concerns. When establishing HTTPS connections, devices query OCSP responders to verify the certificate’s current validity status before trusting it. This prevents acceptance of compromised certificates that may have been revoked after issuance but before natural expiration. Without OCSP, devices would rely solely on periodic CRL downloads, creating windows where revoked certificates could still be accepted as valid.

OCSP is particularly important for MDM server certificates and code signing certificates. If an MDM server certificate is compromised and revoked, OCSP checks prevent devices from trusting the compromised server. However, OCSP introduces network dependencies — devices must reach OCSP responders to validate certificates, and OCSP responder failures or network blocks can prevent certificate validation. OCSP stapling allows servers to cache OCSP responses and present them during TLS handshakes, reducing client dependencies on OCSP responders.

Common Scenarios

Enterprise IT: Corporate firewalls must allow outbound HTTPS traffic to OCSP responders (typically hosted by certificate authorities) for certificate validation to function. Organizations using internal CAs must deploy accessible OCSP responders or configure certificate profiles to disable OCSP checks (reducing security). OCSP failures manifest as certificate validation errors that prevent HTTPS connections, enrollment failures, or app installation blocks. IT should monitor OCSP responder accessibility and consider implementing OCSP stapling on web servers to reduce client dependencies on external OCSP services.

MSP: MSPs troubleshooting certificate errors should verify client networks permit OCSP traffic to certificate authority responders. Organizations with aggressive firewall policies may inadvertently block OCSP, causing widespread certificate validation failures across the managed fleet. MSPs managing multiple clients with different CA providers must understand each CA’s OCSP responder URLs and ensure appropriate firewall rules. OCSP soft-fail policies allow connections to proceed if OCSP responders are unreachable, balancing security with operational resilience.

Education: School networks with content filtering often block or interfere with OCSP traffic, causing certificate validation issues for student and teacher devices. Education IT should ensure OCSP responder domains are allowlisted in filtering policies to prevent blocking certificate validation traffic. Student devices on home networks or public Wi-Fi depend on accessible OCSP responders for certificate validation, and network-level blocks can prevent app installation or profile deployment.

In Addigy

Addigy’s infrastructure uses certificates with OCSP support, and managed devices perform standard certificate validation including OCSP checks when connecting to Addigy servers. Addigy’s HTTPS certificates include OCSP responder URLs in certificate metadata, allowing devices to verify certificate validity in real-time. Administrators don’t need to configure OCSP directly — it operates automatically as part of standard certificate validation processes.

When troubleshooting enrollment or connectivity issues, Addigy support may investigate whether network policies block OCSP traffic to certificate authorities. Organizations deploying custom certificates or internal CAs through Addigy should ensure their certificates include valid OCSP responder information or implement alternative revocation checking mechanisms to maintain security without breaking device connectivity.