An OCSP responder MAY choose to retain revocation information beyond a certificate's expiration. The date obtained by subtracting this retention interval value from the producedAt time in a response is defined as the certificate's "archive cutoff" date.
To illustrate, if a server is operated with a 7-year retention interval policy and status was produced at time t1, then the value for ArchiveCutoff in the response would be (t1 - 7 years).
OCSP-enabled applications would use an OCSP archive cutoff date to contribute to a proof that a digital signature was (or was not) reliable on the date it was produced even if the certificate needed to validate the signature has long since expired.
The archive cutoff extension is defined in section 4.4.4 of RFC 6960.
The archive cutoff extension is configured in seconds by setting the ocsp.expiredcert.retentionperiod option in the ocsp.properties file. The default value is 31536000 seconds (1 year):
To disable the archive cutoff extension, set ocsp.expiredcert.retentionperiod to -1:
ocsp.expiredcert.retentionperiod = -
You can see Archive Cutoff in action by using openssl, querying for an expired certificate.
Archive Cutoff is only returned in the OCSP responses for expired certificates.
An example openssl ocsp command:
openssl ocsp -issuer ManagementCA.cacert.pem -CAfile ManagementCA.cacert.pem -cert cert.pem -req_text -resp_text -url http:
would result in the following OCSP response if cert.pem is expired:
OCSP Response Data:
OCSP Response Status: successful (
Response Type: Basic OCSP Response
Responder Id: BB689F7058D62AB4B8C13866FAC3CF8FC1986ADA
Produced At: Jan
Hash Algorithm: sha1
Issuer Name Hash: 27CBED5E54A990CCD30F644E3715C75B1DECFDEE
Issuer Key Hash: BB689F7058D62AB4B8C13866FAC3CF8FC1986ADA
Serial Number: 363F7FBC823AEB6F
Cert Status: good
This Update: Jan
Response Single Extensions:
OCSP Archive Cutoff:
If you enable debug logging in the application server, you can see when archive cutoff is being used:
INFO [org.cesecore.certificates.ocsp.OcspResponseGeneratorSessionBean] (
) Certificate with serial number
is not valid. Adding singleExtension id-pkix-ocsp-archive-cutoff
if the certificate asked for is not expired, no such log line will be available in the server log.