---
checkId: check.timestamp.ocsp.responder
plugin: stellaops.doctor.timestamping
severity: warn
tags: [timestamping, ocsp, responder, revocation]
---
# OCSP Responder Availability

## What It Checks
Checks that configured OCSP responders are accessible. The check:

- Gets configured OCSP responders from the registry.
- Sends an OPTIONS request to each responder with a 10-second timeout.
- Considers 2xx and 405 (Method Not Allowed) responses as healthy.
- Fails if all responders are unavailable. Warns if some are unavailable.
- Reports degraded if no responders are configured.

## Why It Matters
OCSP responders provide real-time certificate revocation status. If OCSP responders are unavailable, the system cannot verify whether TSA certificates have been revoked, potentially accepting timestamps from compromised certificates.

## Common Causes
- OCSP responder server is down
- Network connectivity issues
- Firewall blocking HTTP/HTTPS to OCSP URLs
- OCSP responder URL changed by the CA

## How to Fix

### Docker Compose
```bash
# Test OCSP responder connectivity
docker exec <platform-container> curl -v http://ocsp.digicert.com
```

### Bare Metal / systemd
```bash
# Test OCSP responder
openssl ocsp -issuer /path/to/issuer.pem -cert /path/to/cert.pem \
  -url http://ocsp.digicert.com -resp_text
```

### Kubernetes / Helm
Ensure egress NetworkPolicies allow traffic to OCSP responder URLs.

## Verification
```
stella doctor run --check check.timestamp.ocsp.responder
```

## Related Checks
- `check.timestamp.ocsp.stapling` — checks OCSP stapling configuration
- `check.timestamp.revocation.cache-fresh` — checks revocation cache freshness
- `check.timestamp.crl.distribution` — checks CRL distribution point availability