Implement a delegated OCSP responder

This document provides information about the Online Certificate Status Protocol (OCSP) responder that you can use to check the revocation status of certificates issued using Certificate Authority Service. For more information about the tool, see OCSP responder for CA Service.

What is Online Certificate Status Protocol (OCSP)?

OCSP is a protocol for obtaining the revocation status for an X.509 certificate. When a user requests information about the validity of a certificate, a request is sent to an OCSP responder. The OCSP responder checks the status of the certificate with a trusted certificate authority (CA) and sends back an OCSP response.

Why use a delegated OCSP responder?

Tracking certificate revocation status using OCSP can have many benefits. These include quicker response time and smaller requirement for network bandwidth, as compared to Certificate Revocation Lists (CRLs), which can get quite large.

How does the OCSP responder work?

The OCSP responder pre-generates an OCSP response for each certificate that a particular CA issues. The pre-generated responses are saved as individual files in a Cloud Storage bucket.

You can deploy a Cloud Run service that regenerates these files on-demand or on a schedule. The Cloud Run service is essentially the frontend for the OCSP server.

You can use Cloud CDN to forward requests to Cloud Run and cache OCSP responses. For more information, see Setting up Cloud CDN with Cloud Run.

For instructions about configuring an OCSP responder with CA Service, see the README: OCSP responder for CA Service.