Changes to OCSP Publication for Google Trust Services Certificates
Google Trust Services is planning to drop support for Online Certificate Status Protocol (OCSP) information for most certificate chains.
What is OCSP?
OCSP is an internet protocol used for determining the status of an X.509 digital certificate. It allows applications to check in real-time if a certificate is revoked. Other mechanisms exist to check certificate revocation in a more efficient manner for browsers and modern TLS clients.
Changes to OCSP Availability
In the second half of 2025, Google Trust Services will discontinue embedding OCSP information for the majority of our certificate chains. This change is being implemented to improve efficiency and align with industry best practices. For more information on the evolution and decline of OCSP, see this Feisty Duck article.
Why is GTS Making This Change?
This decision is based on several factors:
- Industry Alignment: Many leading certificate authorities are moving away from OCSP.
- Improved Efficiency: OCSP response generation consumes a lot of a CA's signing capacity and can slow the re-issuance cycle in the case of mass revocations or mass renewals.
What This Means for You
For most users, this change will be seamless and won't require any action. Modern browsers and applications utilize multiple certificate validation methods, so the transition won't cause noticeable changes for typical use.
Impact and Action
In the vast majority of cases, there will be no impact on the functionality of certificates issued by Google Trust Services. If your systems rely on OCSP for certificate validation and don't have fallback options, you may need to review and update your configurations to support alternative methods like short lived certificates or CRL verification.