Certificate tools

OCSP Checker

Check a certificate's real-time revocation status against its OCSP responder

Check Certificate Revocation Status

Paste a PEM-encoded certificate to query its OCSP responder for live revocation status. The issuer certificate is fetched automatically, or you can provide it yourself.

About OCSP Revocation Checking

The Online Certificate Status Protocol (OCSP) lets you query a Certificate Authority's responder in real time to determine whether a specific certificate has been revoked.

How the Check Works

Responder Discovery

The OCSP responder URL is read from the certificate's Authority Information Access (AIA) extension. Best Practice: Publicly trusted certificates must include an OCSP or CRL endpoint.

Issuer Certificate

An OCSP request is built from the certificate's serial number and hashes of the issuer's name and key, so the issuer certificate is required. We fetch it automatically via AIA when not provided. Best Practice: Provide the issuer manually for private or internal CAs.

Signed Response

The responder returns a signed status of good, revoked, or unknown along with validity timestamps. Best Practice: Treat responses past their nextUpdate as stale.

Understanding the Results

Good

The responder has no revocation record for this certificate serial number. Note: This does not confirm the certificate is otherwise valid or trusted.

Revoked

The CA has revoked the certificate. The response includes the revocation time and, when available, the reason. Action: Replace the certificate immediately.

Unknown

The responder does not recognize the certificate, often because it was not issued by the queried CA. Action: Verify the issuer certificate matches the certificate's actual issuer.