en el

Important Notice: Deprecation of OCSP for HARICA Publicly-Trusted TLS Certificates

2026-01-29 TLS Certificates OCSP HARICA

Dear HARICA Subscribers,

Effective March 2, 2026, HARICA will officially deprecate the use of the Online Certificate Status Protocol (OCSP) for all newly issued publicly-trusted server TLS certificates, with exceptions made only for specific use cases where required.

In accordance with evolving industry standards and browser requirements, certificates issued after this date will no longer contain an OCSP responder URL in the Authority Information Access (AIA) extension, by default. Instead, certificate revocation status will be managed exclusively through Certificate Revocation Lists (CRLs) and modern browser-native mechanisms.

Why is this change happening?

The industry-wide move away from OCSP is driven by three primary factors:

1. User Privacy: Standard OCSP requests are unencrypted. When a browser checks a certificate’s status via OCSP, it informs the CA which IP address is visiting which website. Removing OCSP eliminates this privacy leak, ensuring that HARICA cannot track user browsing patterns.

2. Reliability and Performance: OCSP lookups often add significant latency to the TLS handshake (the “OCSP stapling” solution, while helpful, has seen inconsistent adoption). Furthermore, if an OCSP responder is slow or unreachable, it can cause “soft-fail” delays or “hard-fail” connection errors, impacting site availability.

3. Modern Revocation Standards: Browsers such as Apple Safari, Google Chrome and Mozilla Firefox have shifted toward more efficient, privacy-preserving methods for checking revocation at scale, such as CRLSets and CRLite. These methods rely on the CA publishing compressed CRLs rather than answering individual OCSP queries.

Timeline of Changes

  • Today – March 1, 2026: No immediate action is required. HARICA will continue to support OCSP for all active certificates.
  • March 2, 2026: All new TLS certificates issued by HARICA will omit the OCSP AIA extension by default. Certain exceptions will be allowed on a case-by-case basis.
  • Post-March 2, 2026: Existing certificates issued prior to this date will continue to have functional OCSP support until their natural expiration. By May 4, 2027, we expect our public OCSP infrastructure to be fully decommissioned for TLS.

Impact on Subscribers

For the vast majority of subscribers, no action is required. Modern web browsers (Chrome, Safari, Firefox, and Edge) have already prepared for this transition.

However, a small number of “legacy” or “non-browser” applications that rely strictly on the presence of an OCSP URL in the certificate for hard-fail revocation checking may experience issues. We recommend the following:

  • Review Legacy Systems: If you use specialized hardware or older software that requires OCSP for mutual TLS (mTLS) or specific compliance checks, ensure they support CRL-based revocation. If you operate legacy systems that rely exclusively on OCSP and cannot process CRLs, please contact our technical support team to discuss available options.
  • OCSP Stapling: If you currently use OCSP Stapling on your web servers, the server will simply stop stapling a response once the new certificate (without an OCSP URL) is installed. This will not break the connection in modern browsers.

Our Commitment to Security

This change marks a meaningful step toward a faster, more private, and more resilient internet. We appreciate your continued trust in HARICA and remain committed to supporting you throughout this transition.

TLS OCSP CRL
el
Policy Trust Resellers/Partners Data Privacy Statement
GREEK ACADEMIC NETWORK (GUnet)
University of Athens – Network Operation Center
Panepistimiopolis Ilissia
Postcode: 157 84 Athens, Greece
support@harica.gr
HARICA is the Hellenic Academic & Research Institutions Certification Authority. It participates in all major Global "ROOT CA" Trust Programs, and operates as a "Trust Anchor" in widely used Application Software and Operating Systems.
It has received a successful Conformance Assessment Report fulfilling the requirements of Regulation (EU) 910/2014 (also known as eIDAS) in the areas of "Qualified" Certificates for electronic Signatures/Seals, website authentication, and "Qualified" Timestamps.
© 2026 Harica - RSS