What is OCSP primarily used for?

OCSP, the Online Certificate Status Protocol, is used to check whether a digital certificate has been revoked in real time without downloading the entire certificate revocation list. In PKI, certificates can be revoked before they expire, so clients need a fast way to confirm a cert is still valid during a handshake. The client asks an OCSP responder for the status of the certificate; the responder replies with good, revoked, or unknown. If the status is good, the certificate is trusted; if revoked, it should not be trusted. This approach provides up-to-date revocation information with less bandwidth than retrieving full CRLs and is a practical way to enforce revocation without delaying security. It’s not about providing encryption or performing server authentication by itself, and it complements CRLs rather than disabling the concept of revocation.