Certificate validation
Knowing the status of a certificate is critical to being able to trust it.
What it consists of and what it is used for
Validation services let you know whether or not a particular digital certificate has been revoked at any given time.
Every system or application must always verify that a certificate is valid before accepting it.
We offer publicly and free of charge the following consultation services for the certificates we issue.
Certificate validation using:
- Lists of revoked certificates (CRLs)
- Online certificate status protocol (OCSP)
Lists of revoked certificates (CRLs)
To find out if a certificate that has not yet expired is trusted, you should check that your serial number is included in the CRL issued by the issuing Certification Authority. If so, the certificate has been revoked and is not trusted.
You can download our CRLs below, which do not include expired certificates.
Online certificate status protocol (OCSP)
Defined in the standard RFC-6960 - OCSP over HTTP, it provides users and applications with an agile and fast way to get the status of a certificate, avoiding having to download the Revoked Certificate List (CRL).
http://ocsp.accv.es is the point from where we provide the service.
The OCSP server certificate, which is required to verify the signature of the responses, can be downloaded below:
OCSP ACCVRAIZ1
OCSP ACCVCA-110
OCSP ACCVCA-120
Information that could be useful
These are some of the most common questions we receive. If you do not find an answer to your question, contact us.
How much does it cost?
These services are public and provided free of charge.
I just revoked my certificate and can still use it, why?
If a procedure validates our certificates by CRL, there is a technological definition of up to 3 hours in our case in which the certificate may still appear active. If validation is performed by OCSP, this does not happen.
It is the body that owns the procedure that decides how to validate, not us. Although as you can see our recommendation is to do it for OCSP, and CRL only if the first one is not available.
If I access the OCSP from my web browser, I see nothing.
Even if you see that the OCSP lends itself to a URL as if it were a web page, it is not. That’s why you don’t see anything meaningful.
To consult the OCSP you have to do it with tools that implement the standard RFC-6960 - OCSP over HTTP. An example is OpenSSL.
How do I know my certificate serial number?
It is a value that is within your certificate. Any certificate viewer that allows you to view content will allow you to easily find the serial number.
What CRL do I download?
You must download the one from the Certification Authority that issued the certificate you want to validate.
I downloaded the CRL, but how do I see if my certificate is on it?
You must use tools that can work with CRLs, and you must have your certificate or serial number. Depending on the tool.
However, these services are designed for technical professions that need them in their systems or applications. Conventional users can validate their certificates, for example, in Valide.
Which OCSP certificate should I download?
You must download what is listed as an asset for the Certification Authority that issued the certificate you wish to validate. The rest are in case you have past saved OCSP answers, so you can validate them as well.
Remember that these services are designed for technical professions that need them in their systems or applications. Conventional users can validate their certificates, for example, in Valide.