Let’s Encrypt to End Support for Online Certificate Status Protocol (OCSP)

Let’s Encrypt has officially announced its timeline to phase out support for the Online Certificate Status Protocol (OCSP).

The nonprofit Certificate Authority (CA) plans to fully transition to Certificate Revocation Lists (CRLs) by mid-2025, citing privacy concerns and efficiency gains as primary reasons for the change.

Phased Timeline for Transition

Let’s Encrypt rolled out a detailed schedule to guide its users through this transition:

• January 30, 2025: OCSP Must-Staple requests will fail unless the account has a prior history of issuing certificates with the extension.
• May 7, 2025: Certificates will no longer include OCSP URLs, and all requests for the OCSP Must-Staple extension will fail. CRL URLs will be added to certificates before this date.
• August 6, 2025: Let’s Encrypt will fully deactivate its OCSP responders, marking the end of its OCSP services.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

Why Shift to CRLs?

Let’s Encrypt emphasized that CRLs provide significant advantages over OCSP. CRLs enable the distribution of revocation information without linking individual IP addresses to specific website visits, enhancing privacy.

By contrast, OCSP queries can inadvertently expose website visitors’ IP addresses to the CA, a potential privacy risk even if the CA does not retain such data.

Legal obligations could also force CAs to collect user information—and Let’s Encrypt seeks to mitigate this risk with its pivot to CRLs.

The organization also highlighted operational benefits. Running the OCSP infrastructure for nearly a decade has consumed substantial resources.

Simplifying its infrastructure by adopting CRLs will allow Let’s Encrypt to focus on other areas of compliance and reliability.

The move is anticipated to have minimal impact on websites and browsers, as CRLs enjoy widespread support. However, some non-browser software relying on OCSP might require adjustments.

Let’s Encrypt advises developers and administrators using its certificates for services like VPNs to test their systems for compatibility without OCSP URLs.

Alongside its OCSP deprecation, Let’s Encrypt will also retire support for the OCSP Must-Staple extension.

This feature, designed to enhance privacy and security by enforcing OCSP Stapling, never achieved broad support from browsers or web servers.

The organization is urging users of OCSP Must Staple to reconfigure their Automatic Certificate Management Environment (ACME) clients ahead of the May 7, 2025, deadline.

This decision reflects Let’s Encrypt’s commitment to offering secure, privacy-focused, and efficient services. As the internet evolves, its transition away from OCSP aims to set a new standard for certificate management practices.

Investigate Real-World Malicious Links,Malware & Phishing Attacks With ANY.RUN - Try for Free