let’s encrypt officially announced on the termination of support for the OCSP protocol (online certificate statocol) and a full transition) and a full transition) On lists of withdrawn certificates (certificate revocation lists, crl). The new approach will provide a higher approach Confidentiality and simplify the infrastructure of the certifying center.
Key changes will begin on January 30, 2025. From this date, requests for the release of certificates with the extension of the OCSP MUST StAPLE will deviate if the account has not previously used certificates with such an extension. Until May 7, links to CRL will appear in all certificates, and OCSP support will be excluded. From May 7, any requests with OCSP MUST StAPLE will cease to be processed, including extension of certificates. A complete shutdown of OCSP response is scheduled for August 6.
In Let’s Encrypt noted that CRL has significant advantages over OCSP. The use of CRL eliminates the collection of data on visits and IP addresses of users, which makes CRL a more confidential solution. OCSP, on the contrary, creates a risk of data leakage even in cases where the certificate of the center intentionally does not save the information, since the data may be requested on the basis of legal norms.
Since its founding, Let’s Encrypt has used OCSP, but its support required significant resources. In 2022, the organization added CRL support, which made it possible to abandon the outdated protocol. CRL is already widely supported by browsers, does not require complex settings of servers and provides high privacy.
The OCSP Must Staple expansion also stops, which improved privacy and safety, but did not receive sufficient distribution in browsers. In addition, the use of OCSP MUST StAPLE on servers is associated with downtime risks.
In connection with the upcoming changes, users are recommended to make sure that the software operates correctly without OCSP support. This is especially important for owners of VPN and other non -browser systems using Let’s Encrypt certificates. To verify the use of OCSP MUST StAPLE, an archive with a list of certificates is provided.