Let’s Encrypt to End Support for Online Certificate Status Protocol (OCSP)

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:vendorlink.bgea.org

I ran this command:

It produced this output:

My web server is (include version):Beyond Trust Privilege Remote Access BTPRA 24.3.1

The operating system my web server runs on is (include version): Appliance BTPRA 7.3.1

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):no

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):BTPRA 24.3.1

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
I'm sorry I don't know the answers to the questions above which were left blank.

My question stems from:

How do I know where this will require action on my part?

That blog looks like a re-post of this: Ending OCSP Support in 2025 - Let's Encrypt

Can you be more specific? A wide variety of people and organizations use Let's Encrypt certs. There are wide varieties of skills among them.

Is there something in particular that has you concerned?

The main question is probably ... Do you currently request certs with the Must-Staple option?

Hello MikeMcQ,
Thank you for the reply. I found that write up from Cyber Security News is really pretty vague.

I turned Let's Encrypt via a console interface, so I didn't have to understand anything about Let's Encrypt. To enable and use Let's Encrypt laterally was a check box and filling in a domain name.

How would I tell if the process uses Must-Staple?

This environment is a stand-alone server/appliance. So I did not think OCSP was even needed for the CRL in a single server configuration. Or is Must-Staple the communication between my server and Let's Encrypt CA?

Yes, I'm struggling and learning, but appreciate any help.

Maybe this is a question for Beyond Trust?

This sentence doesn't make much sense methinks.

Maybe it's better to first look up what "OCSP" actually is and what a "CRL" actually is. Then you might understand the blog post better.

While reading up on "OCSP" you might also want to look into what is meant by "must staple", because currently I don't think you understand it by any means.

You don't use this unless you explicitly configured it in your ACME client. Indeed, the current certificate for vendorlink.bgea.org does not have this option. So no specific action to take for you.

Many many thanks ghen.

I will do the reading Osiris suggested and did read what was readily available to me. The Lets Encrypt write he provided also started to bring the components together for me.

Yes, I would ask them too. Make sure they don't require certificates to have OCSP URLs. They (very likely) do not but worth checking.

Refer them to the official Let's Encrypt post I provided if they have questions.

May 7, 2025

• On this date we will drop OCSP URLs from certificates

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.