JOIN OUR AFFILIATE NETWORK

Join our affiliate network and become a local SSL expert

♦ learn more about our program ♦
Menu
picture of tbs certificates
picture of tbs certificates
Certificates
Our products range
Partners
Support
Focus


OCSP protocol support

The OCSP protocol allows the verification of a certificate validity by consulting in real time the certification authority. This protocol is more convenient than the CRLs consultation as it is no longer needed for the browser to download the entire CRL. It also allows the revocation of a certificate in a matter of minutes when it can take several hours with the CRLs.

All Symantec, Thawte Comodo, Geotrust and GlobalSign server and developer certificates that we provide use the OCSP technology. Concerning the TBS X509 certificates they use the OCSP technology since November 7th, 2008.





Edit 2013-11-19:

Firefox, Thunderbird and Seamonkey do not handle CRLs anymore since mid-september 2013. OSCP then becomes mandatory for those browsers.

It is still possible though to import a CRL manually: see the documentation.

Links


Common issues on Windows servers (CRL - OCSP) :
"echec revocation check failed"
"Revocation status unknown."
"Cannot contact the revocation server specified in certificate."
"The certificate status could not be determined because the revocation check failed"

This issue is caused by the server which wants to check the CRL when importing the certificates. If its modul, that uses WinHTTP, cannot access internet, the operation fails.

Troubleshooting:

- make sure your firewall authorizes connections on port 80 (HTTP) to the certification authority server.
For example, for a Comodo certificate, use the command:
telnet ocsp.comodoca.com 80
- you then have to either deavctivate the proxy
netsh winhttp reset proxy

or configure the WinHTTP proxy

Example
  • With Comodo certificates:
    netsh winhttp set proxy proxy-server="http=myproxy" bypass-list="*.comodoca.com"
  • With TBS X509 certificates:
    netsh winhttp set proxy proxy-server="http=myproxy" bypass-list="*.tbs-x509.com"
    netsh winhttp set proxy proxy-server="http=myproxy" bypass-list="*.usertrust.com"
  • With Globalsign certificates:
    netsh winhttp set proxy proxy-server="http=myproxy" bypass-list="*.globalsign.com"
  • With Thawte certificates:
    netsh winhttp set proxy proxy-server="http=myproxy" bypass-list="*.thawte.com"
See also: