OCSP Revocation Checker
loginThis tool is planned for a future release. Authentication and target-ownership verification will be required before it can be enabled.
This tool isn't available in the anonymous view. Sign in to access it.
Monitor this automatically
NetTests can run this check on a schedule, preserve historical results, compare changes over time, and alert you the moment something breaks.
Start monitoring free → See all monitoring productsFrequently Asked Questions
What is OCSP and why does revocation matter?
OCSP (Online Certificate Status Protocol) allows clients to verify whether a certificate has been revoked before trusting it. If a private key is compromised or a certificate is misisssued, the CA marks it revoked via OCSP. Without revocation checking, a stolen certificate remains trusted by clients until its natural expiry.
What is OCSP stapling?
In basic OCSP, the client contacts the CA's OCSP responder on every TLS connection — adding latency and revealing browsing behaviour to the CA. OCSP stapling lets the server include a cached, signed OCSP response in the TLS handshake, eliminating the client's OCSP request entirely. Check OCSP stapling status with our TLS Deep Scan.
What does a revoked certificate mean?
A revoked certificate should no longer be trusted — the CA has declared it invalid before its expiry date. Common revocation reasons: key compromise, CA compromise, affiliation change, superseded by a new certificate. Browsers handle revocation inconsistently; Chrome uses CRLSets and expects OCSP stapling rather than making live OCSP requests.