Implementing a delegated OCSP responder

Online Certificate Status Protocol (OCSP) is a protocol for obtaining the revocation status for an X.509 certificate. When a user requests information about the validity of a certificate, a request is sent to an OCSP responder. The OCSP responder checks the status of the certificate with a trusted Certificate Authority (CA) and sends back an OCSP response.

Providing certificate revocation status through OCSP can have many benefits. These include quicker response time and smaller requirement for network bandwidth, as compared to Certificate Revocation Lists (CRLs), which can get large. This page provides information about configuring a delegated OCSP responder that works with Certificate Authority Service.


The OCSP responder provided in the links below pre-generates an OCSP response for each certificate issued by a given CA. The pre-generated responses are saved as individual files in a Cloud Storage bucket. From there, a Cloud Run that you deploy acts as a proxy for these files and is essentially the frontend for the OCSP Server. OCSP responses can be cached through Cloud CDN which itself forwards requests through to Cloud Run.

For instructions on configuring an OCSP responder with CA Service, see the README: OCSP responder for CA Service.

What's next