Best Free OCSP Server Solutions for Testing on Windows & Linux


3 views

When developing PKI solutions or testing certificate revocation, having a local OCSP responder is crucial. Production OCSP services often have rate limits or require valid certificates, making them unsuitable for development environments.

Here are three reliable options we've tested:

# OpenSSL-based OCSP responder (Linux/Windows)
openssl ocsp -port 8080 -index index.txt -CA ca.crt \
  -rsigner resp.crt -rkey resp.key -text

The OpenSSL method works well but requires manual certificate setup. For a more automated solution:

# EJBCA Community Edition (Java-based)
bin/ejbca.sh ocsp --port 8080 --allow-extensions

For Windows developers, these work particularly well:

// Simple OCSP Server in C# (requires .NET Core)
var builder = WebApplication.CreateBuilder(args);
builder.Services.AddOcspResponder();
var app = builder.Build();
app.MapOcspResponder("/");
app.Run();

When you need temporary public endpoints:

  • Let's Encrypt staging environment (rate-limited)
  • AWS ACM PCA (free tier eligible)
  • Google Cloud CAS trial

Here's how to test OCSP Stapling with Nginx:

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /path/to/trusted.crt;
resolver 8.8.8.8 valid=300s;

Watch for these issues:

  1. Clock skew between client and server
  2. Missing intermediate certificates
  3. Firewall blocking OCSP port (usually 80 or 8080)

When testing certificate revocation in development environments, commercial OCSP solutions often add unnecessary complexity. A minimal implementation lets you:

  • Verify client-side revocation checking logic
  • Test custom PKI infrastructures
  • Simulate different OCSP response scenarios (valid/revoked/unknown)

1. OpenSSL's Built-in OCSP Server (Cross-platform):


openssl ocsp -index index.txt -port 8080 -rsigner root-cert.pem -rkey root-key.pem -CA chain.pem -text

Key flags:

  • -index: Your certificate database file
  • -rsigner: Responder certificate
  • -CA: CA certificate chain

2. Smallstep's OCSP Responder (Go-based):


git clone https://github.com/smallstep/ocsp-responder  
cd ocsp-responder  
go run cmd/responder/main.go --cert chain.pem --key key.pem

Certification Authority OCSP (certsrv.msc):

  1. Install Active Directory Certificate Services role
  2. Enable "Online Responder" feature
  3. Configure via ocspadmin.msc

Alternative: Python micro-responder:


from OpenSSL import crypto, SSL

def ocsp_handler(conn, cert, errnum, depth, ok):
    # Custom response logic here
    return ok

context = SSL.Context(SSL.SSLv23_METHOD)
context.set_ocsp_server("http://localhost:8080")

Verify responses using OpenSSL:


openssl ocsp -issuer chain.pem -cert test.pem -url http://localhost:8080 -resp_text

Expected outputs:

  • 0x0 - Good (valid certificate)
  • 0x1 - Revoked
  • 0x2 - Unknown