Helping you know your OSCP from your TLS
- CSR (Certificate Signing Request)
A certificate signing request is message that is sent to a ca defining the certificate that the sender would like to be issued. It encodes information such as the company behind the request and the hostname(s) that the certificate should be issued for. The CSR is just for this initial communication with the ca and is not required to actually use the issued certificate.
- CA (Certificate Authority)
A Certificate Authority (or Certification Authority) is an organisation that acts as a trusted third-party for browsers and has the ability to issue new certificates. A CA has their root certificate trusted by major web browsers meaning that any certificate they sign will also be trusted.
- Revoking Certificates
There are scenarios where already issued certificate should no longer be trusted. Marking these certificates as untrusted is called revoking the certificate. A common way to do this is via oscp or a crl.
- OSCP (Online Certificate Status Protocol)
OSCP is a protocol that a ca can use to revoke a certificate. It's a realtime HTTP web service that can be queried on-demand to establish a certificate's status. Defined by RFC6960.
- CRL (Certificate Revocation List)
A CRL is a list (usually maintained by a ca) containing a list of revoked certificates and the reason. Unlike oscp, a CRL is a file format and not a protocol over HTTP. Defined by RFC5280.