OCSP for X.509 certificate revocation checking

The Online Certificate Status Protocol (OCSP) enables applications to determine the revocation state of an identified certificate. OCSP may be used to satisfy some of the operational requirements of providing more timely revocation information than is possible with certificate revocation lists (CRLs), and may also be used to obtain additional status information. An OCSP client issues a status request to an OCSP responder and suspends acceptance of the certificate in question until the responder provides a response.

To take advantage of this feature, a non-Domino OCSP responder must be available within the organization to perform signature verification.

OCSP is enabled by policy, through a setting on the Keys and Certificates tab of the Security Policy Settings document.