OCSP Service Has Reached End of Life Author: Josh Aas Date: August 6, 2025 --- Summary Let's Encrypt has officially turned off its Online Certificate Status Protocol (OCSP) service as of August 6, 2025. This change follows a prior announcement in December 2024, and certificates containing OCSP URLs have now fully expired after ceasing to include those URLs 90 days earlier. --- Key Points OCSP Service Ended: Let's Encrypt no longer provides OCSP service for checking certificate revocation. New Revocation Method: All revocation information will now be published exclusively via Certificate Revocation Lists (CRLs). Privacy Concerns: OCSP presents privacy risks because when it is used, the Certificate Authority (CA) learns which websites visitors access, potentially exposing user behavior tied to IP addresses. Even with strict privacy policies, accidental retention or legal demands could expose user data. CRLs avoid this issue by not requiring real-time queries. Operational Simplicity: Ending OCSP simplifies Let's Encrypt's Certificate Authority infrastructure, improving reliability, compliance, and operational efficiency. Resource Usage: Prior to shutdown, Let's Encrypt's OCSP handled about 340 billion requests monthly, equating to over 140,000 requests per second at the CDN level. Acknowledgments: Let's Encrypt thanks Akamai for donating CDN services to support OCSP over the past decade. --- Background Let's Encrypt stopped including OCSP URLs in certificates over 90 days ago to prepare for this transition. The organization has supported CRLs for some time and considers CRLs sufficient for revocation purposes. The shift addresses significant privacy concerns inherent in the OCSP process. --- About Let's Encrypt and ISRG Let's Encrypt is a free, automated, and open Certificate Authority run by the nonprofit Internet Security Research Group (ISRG). ISRG's legal address: 548 Market St, PMB 77519, San Francisco, CA 94104-5401, USA. Mail inquiries can be sent to PO Box 18666, Minneapolis, MN 55418-0666, USA. ISRG publishes annual reports detailing their nonprofit work. --- Additional Resources Announcement of OCSP Ending (Dec 2024) Let's Encrypt Website Akamai CDN ISRG Website 2024 ISRG Annual Report --- Contact & Engagement For updates and news, subscribe to Let's Encrypt mailing lists via their newsletter iframe on the site. Visit the Let's Encrypt blog, documentation, or community forums for support. Donate and get involved with Let's Encrypt's mission via their website. --- Let's Encrypt made this change to enhance online privacy and streamline their security infrastructure, marking a significant evolution in how certificate revocation is handled.