Certificate Revocation and OCSP Errors

Certificate revocation checking can trigger errors when browsers cannot verify certificate validity status. While less common than other errors, revocation-related issues can cause intermittent connection failures that are difficult to diagnose. Browsers attempt to check if certificates have been revoked before trusting them, using either Certificate Revocation Lists (CRL) or Online Certificate Status Protocol (OCSP).

OCSP failures occur when browsers cannot reach the certificate authority's OCSP servers to verify certificate status. Network issues, CA server problems, or firewall restrictions can prevent these checks. Some browsers fail closed (blocking connections) when OCSP fails, while others fail open (allowing connections) for better availability. This inconsistency creates different user experiences across browsers for the same underlying issue.

Implementing OCSP stapling provides the best solution for revocation checking issues. With stapling, your server periodically fetches OCSP responses from the CA and includes them in the SSL handshake. This approach eliminates browser OCSP lookups, improving both performance and reliability. Configure OCSP stapling in your web server—Apache uses SSLUseStapling directives while Nginx uses ssl_stapling. Verify stapling works using openssl s_client -connect example.com:443 -status.

Monitor OCSP stapling effectiveness and configure appropriate cache durations. OCSP responses typically valid for days, so aggressive caching reduces CA server load while maintaining security. Configure fallback behavior for when OCSP fetching fails—most servers continue operating with the last valid response. Regular monitoring ensures OCSP stapling continues functioning, as failures might not immediately impact site availability but reduce security effectiveness.