Let’s Encrypt to Deprecate OCSP in Favor of CRLs, Enhancing User Privacy
Let’s Encrypt, a leading certificate authority renowned for its commitment to a secure and privacy-respecting internet, has formally announced the deprecation of the Online Certificate Status Protocol (OCSP). This strategic shift will see a complete transition to Certificate Revocation Lists (CRLs) by August 2025, aiming to bolster user privacy and optimize operational efficiency.
The transition will proceed according to the following schedule:
- January 30, 2025: Certificate issuance requests incorporating the OCSP Must Staple extension will be declined for accounts without prior usage of this extension.
- May 7, 2025: CRLs will be universally integrated into all issued certificates, marking the official cessation of OCSP support. Subsequent requests, including certificate renewals, utilizing OCSP Must Staple will be discontinued.
- August 6, 2025: OCSP responders will be fully decommissioned.
Let’s Encrypt cites several compelling advantages of CRLs over OCSP:
- Enhanced Privacy Protection: CRLs, unlike OCSP, do not necessitate the transmission of user data such as visited websites and IP addresses, thereby significantly mitigating privacy risks.
- Optimized Infrastructure: The elimination of OCSP responder infrastructure streamlines operations, reduces resource demands, and enhances overall efficiency.
- Ubiquitous Browser Compatibility: CRLs benefit from extensive support across all major web browsers, ensuring seamless functionality and compatibility for users.
Concurrently, the OCSP Must Staple extension, despite its intended security benefits, will be deprecated due to limited browser adoption and the potential for server downtime.
Let’s Encrypt advises users, particularly those operating VPN services or non-browser systems reliant on Let’s Encrypt certificates, to proactively ensure their systems maintain optimal functionality without OCSP support. To facilitate this process, an archive of certificates currently employing the OCSP Must Staple extension has been made available.
