SIGNIFLOW

Discover our signature platform: sign and request signature for your PDFs in a fex clicks!

JOIN OUR AFFILIATE NETWORK

Join our affiliate network
and become a local SSL expert
Learn more about our program

PRODUCTS TO DISCOVER

SSL certificates Invoice signature eIDAS certificates Signature software

Menu
picture of tbs certificates
picture of tbs certificates
Certificates
ALL CERTIFICATES
SSL Extended Validation SSL Standard RGS certificates eIDAS certificates SSL ECC SSL wildcard SSL Multiple sites / SAN Quick and Dirty SSL
Specific certificates VMC certificates
E-signature Strong authentication S/MIME certificates
Test certificates PKI Solutions Trust Seals
SigniFlow: the platform to sign and request signature for your documents
Signature software
Our products range
TBS X509 DigiCert Thawte Sectigo GlobalSign GeoTrust Certigna ChamberSign SigniFlow Harica
Partners
Client login Customer accounts Open an account
Support
FAQ SHA256: Browsers' compatibility ECC: Browsers' compatibility
Focus
Invoices dematerialization
We now provide solutions compliant with RGS** and eIDAS qualified standards for invoices signature and time stamping. Further information


OCSP protocol support

The OCSP protocol allows the verification of a certificate validity by consulting in real time the certification authority. This protocol is more convenient than the CRLs consultation as it is no longer needed for the browser to download the entire CRL. It also allows the revocation of a certificate in a matter of minutes when it can take several hours with the CRLs.

All DigiCert, Thawte Sectigo, Geotrust and GlobalSign server and code signing certificates that we provide use the OCSP technology. Concerning the TBS X509 certificates they use the OCSP technology since November 7th, 2008.

Edit 2013-11-19:

Firefox, Thunderbird and Seamonkey do not handle CRLs anymore since mid-september 2013. OSCP then becomes mandatory for those browsers.

It is still possible though to import a CRL manually: see the documentation.

Common issues on Windows servers (CRL - OCSP)

"echec revocation check failed" 

"Revocation status unknown."
"Cannot contact the revocation server specified in certificate."

"The certificate status could not be determined because the revocation check failed"

This issue is caused by the server which wants to check the CRL when importing the certificates. If its module, that uses WinHTTP, cannot access internet, the operation fails.

Troubleshooting:

  • make sure your firewall authorizes connections on port 80 (HTTP) to the certification authority server.
    For example, for a Sectigo certificate, use the command:
    telnet ocsp.comodoca.com 80
  • you then have to either deactivate the proxy
    netsh winhttp reset proxy

    or configure the WinHTTP proxy

Example:

  • With Sectigo certificates: 
    netsh winhttp set proxy proxy-server="http=myproxy" bypass-list="*.comodoca.com"
  • With TBS X509 certificates: 
    netsh winhttp set proxy proxy-server="http=myproxy" bypass-list="*.tbs-x509.com"
    netsh winhttp set proxy proxy-server="http=myproxy" bypass-list="*.usertrust.com"
  • With Globalsign certificates: 
    netsh winhttp set proxy proxy-server="http=myproxy" bypass-list="*.globalsign.com"
  • With Thawte certificates: 
    netsh winhttp set proxy proxy-server="http=myproxy" bypass-list="*.thawte.com"

Opening the OCSP

You may need to open the OCSP on your firewall, or in a low-level the TCP/80 port, for the OCSP (or the CRL modification) to work properly.

Here is the list of the names to open:

Useful links