The Online Certificate Status Protocol (`OCSP <https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol>`__) offers similar functionality as the CRL's described earlier, but validates
certificates "online" and offers a whitelising instead of a blacklisting method.
Certificates are checked against an online known set of certificates after which the server responds with
'good', 'revoked', or 'unknown'. Only good responses are considered valid.
In order to explain the client verifying a certificate where to check it's validity, the :code:`AuthorityInfoAccess` extenstion
should be provided in the certificate authority (The parameter :code:`OCSP uri` adds this to the certificate in OPNsense).
..Tip::
..raw:: html
You can use the <i class="fa fa-info-circle fa-fw"></i> button to find the ocsp uri when available.
The OCSP responder (server) which validates the 'OCSP request' needs a special signing certificate, which can
be created in OPNsense via :menuselection:`System --> Trust --> Authorities`, issued by the same CA which created the
user and/or server certificates.
OPNsense does not implement an OCSP responder, but to test the concept, we can use the
@ -486,6 +486,12 @@ OpenVPN is most commonly used in combination with a public key infrastructure, w
signs certificates for both server and clients (Also know as TLS Mode).
More information about this topic is available in our :doc:`Trust section <certificates>`.
..Tip::
As of version 24.1 OPNsense is able to use OCSP to validate client certificates when using the new Instances. Make sure :code:`Use OCSP (when available)`
is enabled in the trust section of the server instance and the CA used contains a proper :code:`AuthorityInfoAccess` extension
as described in our :doc:`Trust section <certificates>`.