Habr2d ago

От Root CA до User Authorization в nginx+apache. Часть 2. Отзыв сертификатов, CRL и OCSP

Сертификат скомпрометирован, а срок действия ещё не вышел — как сказать клиентам «больше ему не верьте»? Разбираем оба механизма отзыва, CRL и OCSP: отзыв, генерация и публикация списков, responder, stapling в nginx/apache. С полным справочником всех параметров.

https://habr.com/ru/articles/1051674/

#OpenSSL #PKI #OCSP #CRL #отзыв_сертификатов #X509 #certificate_authority #OCSP_stapling #nginx #информационная_безопасность

От Root CA до User Authorization в nginx+apache. Часть 2. Отзыв сертификатов, CRL и OCSP

Продолжение первой части , где мы развернули двухуровневую инфраструктуру: Root CA и три промежуточных центра — Person, Server и Code. В конце первой части я обещал, что мы научимся отзывать...

Хабр
Show threadARGVMI~1.PIFFeb 28

As an aside: there's a reason #CABForum standards aren't supposed to apply to private CAs.

CA/B are moving back to CRLs for #certificate revocation because #OCSP doesn't work well. To keep #CRL size manageable, this requires certificate lifetimes to be very short (they decided on 47 days).

But a private #CA is a completely different animal. A private CA might only issue a few dozen certificates in its entire existence. Its CRL will never get huge.

Chema Alonso Feb 16
El lado del mal - Máster Online en Seguridad Ofensiva del Campus Internacional de Seguridad 2026: Comienzo el 24 de Marzo https://www.elladodelmal.com/2026/02/master-online-en-seguridad-ofensiva-del.html #Master #Cibersegurida #OCSP #Formación #OffensiveSecurity
Máster Online en Seguridad Ofensiva del Campus Internacional de Seguridad 2026: Comienzo el 24 de Marzo

Blog personal de Chema Alonso ( https://MyPublicInbox.com/ChemaAlonso ): Ciberseguridad, IA, Innovación, Tecnología, Cómics & Cosas Personasles.

ARGVMI~1.PIFDec 8, 2025

So, apparently, Let's Encrypt is dropping #OCSP and moving to old-fashioned #CRL as the only way to notify everyone when a certificate is revoked.

https://letsencrypt.org/2024/12/05/ending-ocsp

I'm pleased with this turn of events. CRL is much simpler than OCSP, and also doesn't have OCSP's privacy and reliability issues.

But of course CRL has the same old problem: CRLs are big! Fortunately, modern computers have huge storage, and CRLs can be incrementally updated. https://blog.mozilla.org/security/2020/01/21/crlite-part-3-speeding-up-secure-browsing/

#cybersecurity #infosec

Ending OCSP Support in 2025

Earlier this year we announced our intent to provide certificate revocation information exclusively via Certificate Revocation Lists (CRLs), ending support for providing certificate revocation information via the Online Certificate Status Protocol (OCSP). Today we are providing a timeline for ending OCSP services: January 30, 2025 OCSP Must-Staple requests will fail, unless the requesting account has previously issued a certificate containing the OCSP Must Staple extension May 7, 2025 Prior to this date we will have added CRL URLs to certificates On this date we will drop OCSP URLs from certificates On this date all requests including the OCSP Must Staple extension will fail August 6, 2025 On this date we will turn off our OCSP responders Additionally, a very small percentage of our subscribers request certificates with the OCSP Must Staple Extension. If you have manually configured your ACME client to request that extension, action is required before May 7. See “Must Staple” below for details.

Pontiff Fractal TiamNov 19, 2025

I totally missed the memo that #letsencrypt disabled #OCSP:

https://letsencrypt.org/2024/12/05/ending-ocsp

And I see that there has been a #cabforum ballot making OCSP optional with only one issuer opposing:

https://cabforum.org/2023/07/14/ballot-sc063v4-make-ocsp-optional-require-crls-and-incentivize-automation/

A terrible Idea. And to make it worst, LE is distributing their #CRL over #cloudflare just as they did with their OCSP endpoints.

Ending OCSP Support in 2025

Earlier this year we announced our intent to provide certificate revocation information exclusively via Certificate Revocation Lists (CRLs), ending support for providing certificate revocation information via the Online Certificate Status Protocol (OCSP). Today we are providing a timeline for ending OCSP services: January 30, 2025 OCSP Must-Staple requests will fail, unless the requesting account has previously issued a certificate containing the OCSP Must Staple extension May 7, 2025 Prior to this date we will have added CRL URLs to certificates On this date we will drop OCSP URLs from certificates On this date all requests including the OCSP Must Staple extension will fail August 6, 2025 On this date we will turn off our OCSP responders Additionally, a very small percentage of our subscribers request certificates with the OCSP Must Staple Extension. If you have manually configured your ACME client to request that extension, action is required before May 7. See “Must Staple” below for details.

Hacker NewsSep 14, 2025

OCSP Service Has Reached End of Life

https://letsencrypt.org/2025/08/06/ocsp-service-has-reached-end-of-life

#HackerNews #OCSP #End #of #Life #LetsEncrypt #Cybersecurity #Tech #News

OCSP Service Has Reached End of Life

Today we turned off our Online Certificate Status Protocol (OCSP) service, as announced in December of last year. We stopped including OCSP URLs in our certificates more than 90 days ago, so all Let’s Encrypt certificates that contained OCSP URLs have now expired. Going forward, we will publish revocation information exclusively via Certificate Revocation Lists (CRLs). We ended support for OCSP primarily because it represents a considerable risk to privacy on the Internet. When someone visits a website using a browser or other software that checks for certificate revocation via OCSP, the Certificate Authority (CA) operating the OCSP responder immediately becomes aware of which website is being visited from that visitor’s particular IP address. Even when a CA intentionally does not retain this information, as is the case with Let’s Encrypt, it could accidentally be retained or CAs could be legally compelled to collect it. CRLs do not have this issue.

Jonathan Kamens 86 47Sep 1, 2025
Here's today's #TechIsShitDispatch. I missed posting yesterday, but I can assure you that there was shitty tech; I just didn't have time to post about it.
Today's thread features more #Synology bullshit, more #Framework bullshit, some #Hulu bullshit, some #Google bullshit, and some annoying #Thunderbird behavior which I think may be linked to #OCSP certificate validation.
🧵1/18
Michal 🇨🇿Jun 30, 2025

If someone have warning messages in #Nginx logs about #OCSP url. Here is explanation from #LetsEncrypt

https://letsencrypt.org/2024/12/05/ending-ocsp/

Ending OCSP Support in 2025

Earlier this year we announced our intent to provide certificate revocation information exclusively via Certificate Revocation Lists (CRLs), ending support for providing certificate revocation information via the Online Certificate Status Protocol (OCSP). Today we are providing a timeline for ending OCSP services: January 30, 2025 OCSP Must-Staple requests will fail, unless the requesting account has previously issued a certificate containing the OCSP Must Staple extension May 7, 2025 Prior to this date we will have added CRL URLs to certificates On this date we will drop OCSP URLs from certificates On this date all requests including the OCSP Must Staple extension will fail August 6, 2025 On this date we will turn off our OCSP responders Additionally, a very small percentage of our subscribers request certificates with the OCSP Must Staple Extension.

Chema Alonso Jun 16, 2025
El lado del mal - Nueva Edición del Máster Online en Seguridad Ofensiva del Campus Internacional de Seguridad 2025/2026 https://www.elladodelmal.com/2025/06/master-online-en-seguridad-ofensiva-del.html #master #formación #ciberseguridad #OCSP #OffensiveSecurity #hacking #RedTeam #pentesting #pentest
Aral BalkanMay 8, 2025

New Kitten Release 🥳

To OCSP¹ or not to OCSP…

• Turns on OCSP support in the server only if the site’s certificate has the OCSP stapling extension.

This is to support both servers that still have OCSP stapling in their certs as well as new ones that don’t. (Let’s Encrypt sunset OCSP support yesterday and there is a transitionary period where Kitten servers will have both types of certificates. This update is to ensure we support both without issues.)

https://kitten.small-web.org

Also updated, if you’re interested in playing lower in the stack:

• @small-tech/https: https://codeberg.org/small-tech/https
• @small-tech/auto-encrypt: https://codeberg.org/small-tech/auto-encrypt

Enjoy!
💕

¹ Online Certificate Status Protocol (https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol). Yes, I hate abbreviations too :)

#Kitten #SmallWeb #SmallTech #KittenRelease #TLS #OCSP #OCSPStapling #LetsEncrypt

Kitten: Home