Help
FortiWeb
A FortiWeb can be configured to join a Security Fabric through the root or downstream FortiGate.
kmak
Staff
Staff

Created on ‎10-23-2024 11:04 PM

Article Id 352099

Technical Tip: Overview of Let’s Encrypt intention to end OCSP service

Description This article explains the OCSP and overview of Let’s Encrypt intention to end OCSP service.
Scope FortiWeb.
Solution

Introduction:

OCSP (Online Certificate Status Protocol) is an Internet Protocol (IP) used to determine the status of SSL certificate revocation status, specifically to X.509 certificates. The alternate option of checking the SSL certificate's revocation status is using the CRLs. OCSP uses the Port 80 (HTTP) for communications.

 

How OCSP works:

  1. Client Requests Status: When a user, such as a web browser, browses to a website with HTTPS (SSL/TLS), the browser checks and verifies the validity of an SSL/TLS certificate. It sends a request to an OCSP responder (a server managed by the certificate authority that issued the certificate).
  2. OCSP Responder Replies: The OCSP responder checks the certificate’s status (valid, revoked, or unknown) and sends a response to the client.
  3. Client: Based on the OCSP response, the client determines if the certificate is trusted or not, browsing the site normally or prompting the SSL warning as a result of the SSL certificate being untrusted.

 

Overview of Let’s Encrypt intention to end OCSP service:

In a recent announcement from LetsEncrypt, they have informed of the intention to end the OCSP service support. The decision came after the Certification Authority Browser Forum (CA/Browser Forum) passed a ballot to make providing OCSP services optional for publicly trusted Cas.

 

Related URL:

https://letsencrypt.org/2024/07/23/replacing-ocsp-with-crls/

 

There is no exact timeline provided on the End of Support of the OCSP service, but it is believed to be happening in the next six to twelve months.

 

Implications of Ending OCSP Support:

  1. OCSP Stapling: Servers/devices will no longer be able to staple OCSP responses for Let’s Encrypt certificates once OCSP is phased out.
  2. Browser Handling: Since many browsers have already reduced their reliance on OCSP checks, this change is expected to have minimal impact on most users.

 

FortiWeb:

If the FortiWeb is configured with the OCSP stapling policy of a specific certificate issued by Let’sEncrypt, it is recommended to switch to the CRLs option.

 

Related documents:

Revoking certificates

https://www.fortinet.com/resources/cyberglossary/ocsp
Labels:
872
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.