What's the difference between OCSP and CRL?

CRLs (Certificate Revocation Lists) are full lists of revoked certificates, fetched periodically. OCSP is a real-time per-certificate status query. OCSP is faster for individual checks; CRLs are more reliable for offline verification.

What's OCSP must-staple?

An X.509 certificate extension that instructs TLS clients to reject the certificate if a valid OCSP staple is not provided in the handshake — converting OCSP from soft-fail to hard-fail, closing the blocking attack.

Does it simulate OCSP stapling?

Yes — the simulator can produce OCSP response bytes in the format used for TLS stapling, allowing you to test server-side stapling configuration without a real CA.

OCSP Responder Simulator

DevTools Surf

About OCSP Responder Simulator

OCSP Responder Simulator preview - Security / Crypto tool

Simulate Online Certificate Status Protocol (OCSP) responses for real-time revocation checking. Part of the DevTools Surf developer suite. Browse more tools in the Security / Crypto collection.

Use Cases

Test how a TLS client handles different certificate status responses (good, revoked, unknown).
Simulate OCSP response delays to verify timeout handling in certificate validation logic.
Demonstrate the difference between OCSP checking and OCSP stapling for security training.
Validate OCSP implementation before deploying a PKI system for internal certificate management.

Tips

Test both 'good' and 'revoked' certificate status responses to verify your TLS client handles certificate revocation correctly.
OCSP stapling should be configured on your web server — it pre-fetches and caches the OCSP response, avoiding latency and privacy issues from client-to-OCSP-server requests.
Check the thisUpdate and nextUpdate fields in OCSP responses — an expired response (nextUpdate in the past) should be treated as an error by a strictly-compliant TLS client.

Fun Facts

OCSP (Online Certificate Status Protocol) was defined in RFC 2560 in 1999 as a more efficient alternative to Certificate Revocation Lists (CRLs), which could grow to megabytes for large CAs.
The Google Chrome browser deprecated soft-fail OCSP checking in 2012, arguing that an attacker could simply block OCSP responses to force soft-fail behavior — making OCSP checking nearly useless against active attackers.
OCSP stapling, defined in RFC 6961 (2013), allows web servers to pre-fetch and serve the OCSP response in the TLS handshake, removing the privacy leak of clients directly querying the CA's OCSP server.

FAQ

What's the difference between OCSP and CRL?: CRLs (Certificate Revocation Lists) are full lists of revoked certificates, fetched periodically. OCSP is a real-time per-certificate status query. OCSP is faster for individual checks; CRLs are more reliable for offline verification.
What's OCSP must-staple?: An X.509 certificate extension that instructs TLS clients to reject the certificate if a valid OCSP staple is not provided in the handshake — converting OCSP from soft-fail to hard-fail, closing the blocking attack.
Does it simulate OCSP stapling?: Yes — the simulator can produce OCSP response bytes in the format used for TLS stapling, allowing you to test server-side stapling configuration without a real CA.

Related Security / Crypto Tools

Hash Generator v2 HMAC Generator v2 JWT Encoder Bcrypt Hash Tester HMAC Generator Password Strength Analyzer TOTP / 2FA Generator SAML Response Decoder