Skip to main content

OCSPResponder

OCSPResponder

Real-time validation of certificates – reliable, fast and highly available.

OCSPResponder is a high-performance, RFC 6960-compliant OCSP responder for environments where certificate validation must be fast, reliable and easy to operate. It supports both offline and online signature modes, processes any number of issuing CAs in a single installation and is delivered as a single, dependency-free binary.

Whether you need to serve thousands of OCSP requests per second in a large PKI or want to integrate standards-compliant certificate status services into an existing CA infrastructure – OCSPResponder does it with minimal resource requirements and without fuss.

Request information

OCSPResponder: Highlights

Real-time queries: Response times in the millisecond range – optimised for high load and short response cycles.

Always available: Highly available architecture with failover options and load distribution.

Trustworthy information: Signed OCSP responses in accordance with RFC 6960 ensure that queriers can trust the status messages.

Features

  • Two operating modes – Choose between offline mode with pre-computed responses for maximum throughput or online mode with full nonce support for real-time certificate status validation.

  • Multi-CA in one instance – A single OCSPResponder installation delivers OCSP responses for any number of issuing CAs, each with its own dedicated OCSP signer certificates and keys.

  • Universal data source compatibility – Import certificate status via CRL from virtually any CA product, or access an OpenXPKI database directly – for seamless integration with OpenXPKI Enterprise Edition.

  • HSM support – Protect OCSP signer keys with hardware security modules via PKCS#11, or use software keys on disk or in the database.

  • Single binary, no dependencies – Available for Linux, Windows and macOS. A Docker image is also available for containerised deployments.

  • Extreme performance – Thousands of requests per second even on modest hardware, with in-memory caching of responses and a memory footprint of only 100–200 MB under high load.

Use Cases

  • KRITIS & Industry: Reliable certificate status information for zero-trust, IoT environments and critical infrastructure. When compliance requirements or policies mandate that OCSP signature keys be stored in a hardware security module, OCSPResponder delivers with native PKCS#11 support. Combined with offline mode, the signature keys are only accessed during the periodic pre-computation step, further reducing the attack surface.

  • Government & e-Government: Certificate verification for electronic signatures, citizen portals, document processing.

  • Mobile Device Management / Endpoint Security: Validation of whether client certificates are still valid, revoked or compromised.

  • OpenXPKI companion – For organisations using OpenXPKI Enterprise Edition, OCSPResponder provides a tailored OCSP service that reads certificate status directly from the OpenXPKI database. No CRL export/import cycle required, no synchronisation delays – just a direct, always-current data path.

  • Vendor-independent OCSP for existing CA infrastructure – You already operate a CA product that publishes CRLs but doesn't provide a performant OCSP service? OCSPResponder can be connected via CRL import and adds RFC 6960-compliant OCSP capabilities – regardless of which CA software issued the certificates.

Details

Deployment – OCSPResponder is delivered as a single, statically linked binary without external runtime dependencies. Pre-built binaries are available for Linux, Windows and macOS. A Docker image is provided for container-based deployments and orchestration platforms.

Offline mode architecture – In offline mode, OCSPResponder is split into two components. The Generator is a command-line tool that is executed periodically (e.g. via cron or a scheduler). It reads the complete certificate status data, computes a signed OCSP response for each entry using the corresponding OCSP signer key, and stores the results in the database. The Server is a permanently running network service that receives incoming OCSP requests, extracts the issuing CA and serial number from each request, looks up the corresponding pre-computed response and returns it to the client. Pre-computed responses cannot by design contain a nonce.

Online mode architecture – In online mode, only the server component is used. It accepts OCSP requests on a network socket and delegates each request to the internal signer, which determines the certificate status from the database and generates a signed OCSP response. If the client request contains a nonce, it is embedded in the response.

Performance – OCSPResponder is designed for speed. In offline mode, pre-computed responses are cached in memory, enabling lookup times in the sub-millisecond range. Even on modest hardware, throughput easily reaches thousands of requests per second. Memory consumption is typically in the range of 100–200 MB, even under sustained high load – resource consumption is negligible in most deployment scenarios.

Monitoring – OCSPResponder provides performance and operational metrics in Prometheus format, enabling integration into common monitoring and alerting stacks such as Prometheus/Grafana.

Key storage options – Private OCSP signer keys can be stored as files on disk, imported into the OCSPResponder database, or held in a hardware security module accessible via PKCS#11. Multiple signer certificates can be configured per issuing CA; OCSPResponder automatically selects the most current valid signer for response generation.

Failover: Support for common load balancers and reverse proxies.

Licence

  • The base licence includes OCSPResponder itself, the product documentation and the required licence files.

     

     

Additional Options

  • HSM-Support

Maintenance and Support

Support

Would you like to learn more about our products
or request a demo?

Get in touch

PKI

Infrastructure

Use-Cases

Contact

  • Werner-Heisenberg-Str. 8
  • 85254 Sulzemoos, Germany
  • This email address is being protected from spambots. You need JavaScript enabled to view it.
  • +49 8135 314 000-0
© Whiterabbitsecurity