During a quarterly PKI audit, a security administrator needs to verify whether a single server certificate presented by an internal web application has been revoked. The administrator wants the fastest method that avoids downloading large revocation files and will return the status of only that specific certificate. Which mechanism should the administrator use?
The Online Certificate Status Protocol (OCSP) allows a client to query an OCSP responder and receive the revocation status of a specific X.509 certificate in near real time. Because the request targets a single certificate, it is far more efficient than downloading an entire certificate revocation list (CRL), which can be large. A certificate authority (CA) issues certificates but does not provide one-off status queries, and a registration authority (RA) handles identity vetting rather than revocation checks. Therefore, OCSP is the most efficient choice.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is OCSP and how does it work?
Open an interactive chat with Bash
How does OCSP differ from CRL?
Open an interactive chat with Bash
What role do CAs and RAs play in PKI compared to OCSP?