What is OCSP?
The Online Certificate Status Protocol (OCSP) lets web browsers and clients check the status of an issued TLS certificate with a Certificate Authority (CA), ensuring that the certificate has not been revoked.
It exists different ways to check whether the certificate has been revoked. Each way places the burden on different parties:
The browser/client: talk to the CA (or through a CA–entrusted OCSP responder) with OCSP. One downside with this approach is that the CA's servers need to be available.
The browser vendor: maintain an up-to-date list of certificate revocations by talking to the CAs (or through a CA–entrusted OCSP responder) and distributing this list to the browsers running on users' machines.
The server side: the server handles the interaction with the CA (or through a CA–entrusted OCSP responder), caching the results of the periodic updates and including a "stapled response" (referred to as OCSP stapling) in the TLS connection setup with the browser/client.
OCSP with k6
k6 supports OCSP stapling. The application can receive and parse a stapled response as part of the TLS connection setup. The OCSP response information is available in the ocsp.stapled_response property of the response object.
Properties of an OCSP object
The OCSP ocsp object contains the following properties:
|status||string||the status of the certificate, see possible values below|
|revocation_reason||string||the reason for revocation of the certificate (if that is the status), see possible values below|
|produced_at||number||number of milliseconds elapsed since 1 January 1970 00:00:00 UTC, representing the time when this OCSP stapled response was signed by the CA (or CA–entrusted OCSP responder)|
|this_update||number||number of milliseconds elapsed since 1 January 1970 00:00:00 UTC, representing the time when the status being indicated was known to be correct|
|next_update||number||number of milliseconds elapsed since 1 January 1970 00:00:00 UTC, representing the time when this OCSP stapled response will be refreshed with CA (or by CA entrusted OCSP responder)|
|revoked_at||number||number of milliseconds elapsed since 1 January 1970 00:00:00 UTC, representing the time when this certificate was revoked (if that is the status)|
Possible values for status:
Possible values for revocation_reason: