CAcert has setup and operates a copy of the [http://www.openca.org/ocsp] OpenCA RFC compliant OCSP Responder. All the certificates that were issued after 16.5.2005 should have the OCSP Service URL automatically included, and your OCSP client should check periodically for certificate status. The OCSP responder issues signed responses over http, the OCSP address (it's not a normal website and can only be connected to with an OCSP client, such as [http://www.openssl.org OpenSSL], once your client is setup you can tell it to connect to http://ocsp.cacert.org or http://ocsp.cacert.org:2560 To activate OCSP in firefox use the below settings.

Enabling OCSP in Firefox:

  1. Click on the Tools menu, then select Options.
  2. After the Options window appears, select Advanced.
  3. Scroll down until you get to the Validation section, and OCSP will be the last option.
  4. By default "Do not use OCSP for certificate Validation is selected." Change that selection to the second option, "Use OCSP to validate only certificates that specify an OCSP service URL".
  5. Click OK to close the Options window.

The OCSP Responder runs at the port 2560, the following Apache rule makes it available on Port 80:

RewriteCond %{CONTENT_TYPE}   !^application/oscp-request$
RewriteRule ^/(.*)         http://localhost:2560/ [P]

We issue certificiates with the hostname ocsp.cacert.org, which we plan to distributed with round-robin DNS, when load or bandwidth become a problem. We can simply add another OCSP responder in a similar fashion to DNS.