1. Home
  2. /
  3. Get started with Online Certificate Status Protocol (OCSP) in EJBCA

Get started with OCSP in EJBCA

Learn how to configure the Online Certificate Status Protocol (OCSP) service in EJBCA.


Find out if a digital certificate has been revoked with OCSP

The OCSP service checks the certificate status using the serial number, and the service replies with a digitally signed response that contains the certificate status. An OCSP response contains one of three values: good, revoked, or unknown. OCSP responses are smaller than CRL files and are suitable for devices with limited memory. The OCSP protocol is mainly defined in RFC 6960  and RFC 5019.

EJBCA also supports another method to convey information about revoked certificates: Certificate Revocation Lists (CRLs).

How to get started

In this tutorial video, you will learn how to quick start OCSP functionality in EJBCA without configuring an external signer service. We will look into how to set up EJBCA as an external OCSP Service (Validation Authority) and how to configure the OCSP URL in the Certificate Profile and certificate authority (CA) settings.



A running EJBCA instance that is accessible via the CA UI.

Note: In this tutorial, the following version is used: EJBCA CE 8.1 beta




Check out the supplementary EJBCA and OCSP documentation.

Docker Hub

Get your hands on the EJBCA Docker container by downloading it now.


Take a peek at our tutorial video on YouTube, and browse through some of our other videos as well.


You can ask your questions and learn from PKI specialists in the EJBCA forum on GitHub Discussions.