Implement a delegated OCSP responder

This document provides information about the OCSP responder that you can use to check the revocation status of certificates issued using Certificate Authority Service. You can find the tool here: OCSP responder for CA Service.

Online Certificate Status Protocol (OCSP) is a protocol for obtaining the revocation status for an X.509 certificate. When a user requests information about the validity of a certificate, a request is sent to an OCSP responder. The OCSP responder checks the status of the certificate with a trusted certificate authority (CA) and sends back an OCSP response.

Why use a delegated OCSP responder?

Tracking certificate revocation status using OCSP can have many benefits. These include quicker response time and smaller requirement for network bandwidth, as compared to Certificate Revocation Lists (CRLs), which can get quite large.

How does the OCSP responder work?

The OCSP responder pre-generates an OCSP response for each certificate that a particular CA issues. The pre-generated responses are saved as individual files in a Cloud Storage bucket. From there, a Cloud Run that you deploy acts as a proxy for these files and is essentially the frontend for the OCSP Server. OCSP responses can be cached through Cloud CDN which itself forwards requests through to Cloud Run.

For instructions about configuring an OCSP responder with CA Service, see the README: OCSP responder for CA Service.