Let’s Encrypt will be removing OCSP URLs from certificates on May 7, 2025 as part of our plan to drop OCSP support and instead support certificate revocation information exclusively via CRLs.
Subscribers can test this change by issuing certificates in our staging environment or with the tlsserver profile in production. On May 7, all certificate profiles will omit OCSP URLs. You can learn more about certificate profiles here.
This change means that all certificate requests with the OCSP Must-Staple extension will fail. Users will need to update their ACME client configurations to not request the extension. Support for OCSP Must-Staple requests had been disabled for a portion of subscribers, and as of May 7 it will be disabled for all.
Both OCSP and CRL are mechanisms to fetch certificate revocation information. Our certificates already include CRL URLs. Until we turn off our OCSP responders on August 6 of this year, you will still be able to query a certificate’s status via OCSP for certificates issued prior to this change.
If you have any questions, please open a help thread.