OCSP Checker
Query the OCSP responder listed in a certificate to see if it is good, revoked, or unknown.
About the OCSP Checker
The OCSP Checker asks the Online Certificate Status Protocol responder embedded in a leaf certificate whether that certificate is still valid or has been revoked. Paste the leaf certificate PEM and the issuer (CA) certificate PEM. We extract the OCSP URL from Authority Information Access, build a standards compliant request, and return the responder status.
OCSP is faster than downloading a full CRL and is what browsers use during TLS handshakes when stapling is not available. Operations teams check OCSP before cutovers to confirm a replaced certificate is not still listed as revoked, or to debug stapling misconfiguration.
Your PEM input is sent to our server only to perform the OCSP POST to the CA responder. We do not store certificates. Some responders block datacenter IPs or return ambiguous responses; results are informational, not a legal guarantee of validity.
For live TLS on a hostname, use SSL Checker. For PEM inspection without network calls, use SSL Decoder.
Reach developers and designers who use these tools every day. Privacy-first, no trackers.
Frequently asked questions
Why do I need the issuer certificate?
OCSP requests hash the issuer name and public key to identify which certificate is being checked. Without the issuer PEM, the responder cannot match the request.
What does “unknown” mean?
The responder did not return a definitive good or revoked status. The certificate may be too new, the responder may be misconfigured, or our parser may not support the response format.
Is this the same as CRL checking?
No. OCSP is a point query to a responder. CRLs are signed lists of revoked serial numbers. Both answer revocation questions but use different protocols.
Are my certificates stored?
No. PEM input is used for the OCSP request and discarded. We do not persist certificate material.
Why did the check fail with HTTP 403?
Some OCSP responders restrict automated or cloud hosted clients. Try from your own network with openssl ocsp, or check whether the CA publishes an alternative responder.