Khatim OCSP Server > Reliable & Scalable

High Assurance, Resilient, OCSP server with industry-leading speed
  • Compatible with IETF 6960, 5019 standards
  • Get Advanced OCSP insights, reporting & alerting
  • Enterprise ready, secure and quick to deploy OCSP server
  • Provide real-time or CRL based revocation for online, off-line CAs and PKIs
Download Datasheet

Purpose of an OCSP Server | Validation Authority

Validation - Certificate status - Real-time

The Online Certificate Status Protocol (OCSP) server aka Validation Authority is an essential tool for verifying the revocation status of X.509 digital certificates. By checking the revocation status of a certificate, one can ensure that the certificate is still valid and can be trusted.

The use of OCSP servers reduces the overheads associated with traditional Certificate Revocation Lists (CRLs) and provides a more efficient and scalable method for certificate validation. Selecting the right OCSP server is hence a crucial step in your digital transformation journey providing timely access to critical business services.

"Khatim OCSP Server: Provides pivotal role in establishing Digital Trust"

What makes Khatim OCSP Server stand out?

Built for Speed

In the realm of validating digital certificates, time is of the essence. Khatim OCSP server offers market-leading performance designed to cater to high-volume OCSP processing.


Secured Processing & Audit

Establishing a high level of security and assurance is crucial in any business. Khatim OCSP server achieves this by utilizing military-grade security measures for all its functions, including key management, OCSP signing, administration, and transaction management.

Keeping it simple

Complicated OCSP systems can lead to confusion and increase the likelihood of errors. Khatim OCSP server, boasts user-friendly, web GUI for administrators, making deployment, integration, and testing much quicker than other solutions on the market.

Core Features

Features you get from Khatim OCSP Server | Validation Authority
IETF and CA/B Forum & Compliancy

Khatim OCSP Server adheres to the industry standards set by IETF and CA/B Forum for OCSP response, which includes RFC 6960 and 5019 profiles. This allows seamless integration with a wide range of business applications such as Adobe Acrobat, Microsoft Office, web browsers & web servers.

Support any HSM & CAs

Integrate with your existing HSMs using PKCS#11 like Entrust nShield, Thales Luna, Protect Server, Utimaco Cryptoserver etc. It also seamlessly integrates with non PKCS#11 based HSM like Microsoft Azure Key Vault, AWS Cloud HSM and Google Cloud HSM.

OCSP Insights & Reporting

Admins can monitor their OCSP servers in real-time, and filter data based on revocation status, policies, success/failure, signing algorithm, and more. Khatim OCSP server also creates daily summary reports along similar data points providing administrator a snapshot of what types of OCSP responses were generated during the day, failures and alerts.

Serve Multiple CAs & PKIs

Have multiple CAs or PKIs? A single deployment of Khatim OCSP Server can handle multiple Certification Authorities, PKI, local or remote CAs. Easily setup multiple OCSP policies by identifying OCSP signing certificate, CA to serve, whether to add extended revocation information and more.

Secure Military Grade Access Control

Trusted resources access key functions via powerful, multi factor authentication using military-grade TLS Client authentication.

Provides Real-time Revocation

Khatim OCSP Server offers a range of options for revocation checking, including real-time by accessing the list of issued digital certificates by the CA. It can also use CRLs issued by the CA to respond to incoming OCSP requests, making it compatible with both online and offline CAs.

Cryptographic Agility

Khatim OCSP server supports diverse cryptographic requirements such as:


– RSA (2048, 4096, 8192)
– ECDSA (192, 224, 256, 320, 384, 512)
– SHA-256, 384 and 512 hashing algorithms

Cross Platform, Diverse Deployments

The Khatim OCSP server is platform-independent, making it compatible with both Windows and Linux. It can be easily deployed in various environments, including:


– On-premise private or public cloud
– VMs
– Physical machines

Logging & Auditing

Khatim OCSP server logs and saves all incoming transactions and configurations for thorough analysis. Administrators can easily download and review request/responses in real-time for server status checks and troubleshooting purposes. All updates made to the system is also recorded providing a reliable audit trail.

Unlimited Scalability

Khatim OCSP server can form a cluster of multiple OCSP servers to minimize latency. New OCSP servers can be added without stopping the running instances, resulting in high throughput.

Proactive Alerts & Troubleshooting

Khatim OCSP server sends proactive notifications to administrators in case of server malfunction. All issues are recorded for traceability and can also be securely pushed to your central logging systems such:


– Splunk
– Grafana
– Greylog
– LogRhythm etc.

Quick Replacement

Upgrade to Khatim OCSP Server and eliminate performance bottlenecks while reusing your existing OCSP keys. Say goodbye to legacy OCSP servers effortlessly.

How Khatim OCSP Server works?

Khatim OCSP Server (KOS) consist of 4 core components:

  • Portal: Access OCSP configs, transactions & statistics
  • Engine: Provides OCSP service to business apps
  • Diagnostic: Performs housekeeping and health checks
  • Storage: Stores configurations and transactional data

The overall processing logic is quite simple:

  • Business applications send OCSP requests containing certificate information
  • KOS verifies the incoming request
  • KOS create a digitally signed OCSP response


Supported OS

All flavors of Windows Server & Linux (Centos, Ubuntu, RedHat, Fedora)


English - Other languages can be supported on demand

Minimum H/W Requirement

8 GB RAM, 2 vCPU (2.3 GHz), 10 GB disk space.

Pricing & Maintenance


  • Khatim OCSP Server is charged per bundle
  • Each bundle allows you to deploy 2 instance of OCSP server in high availability mode
  • To add more servers in your existing pool; Add more bundles OR Buy a single server instance at 50% of the bundle price
  • Test environments or Staging environments are charged 50% of the price
  • Price is inclusive of first 12 months of maintenance plan

Maintenance Plan

With active annual software maintenance plan you:

  • Keep your installation safe and secure with the latest security updates
  • Get free access to the newest features, enhancements, and bug fixes
  • Get premium support from our technical engineers (within 24 hours on business days)

Has your maintenance expired?

When you buy a Khatim OCSP Server license, you automatically get free 12 months of maintenance. Want to renew your maintenance plan? The price for 12 months is 25% of your license’s (current) list price.

Save more with extended supported:

  • Extend for 24 months and save 10%
  • Extend for 36 months and save 15% best value

Success Story


“Codegic team was immensely helpful in bringing our ideas for phone-based PKI authentication and signing to reality. Codegic was absolutely up to the challenge of bringing the security and accountability of our Authenticity Infrastructure’s identity certificates to iOS and Android. They gave us secure solutions when it came to advanced digital signatures (CAdES, JSON signing) and WebCrypto. With top quality support, they are a go to shop for any serious PKI / Digital Signature development.”


Wes Kussmaul, CEO, Reliable Identities, Inc.


Can we integrate with existing CAs?

Naturally, integrating Khatim OCSP Server with your current CAs is possible, and any customization required for the integration will be free of charge.

What is needed to run an OCSP server?

Deploying an OCSP server requires three core components:


– OCSP software and an efficient hardware on which to deploy
– CA configurations
– Cryptographic Hardware; Such as an HSM, ensures that the keys utilized to sign OCSP responses remain secure and protected.

How can developers integrate with OCSP servers?

Developers can use any open source API like bouncy castle which provides client side implementation for OCSP. More details can be found here.

How many OCSP server instances I need to deploy?

Deploy at least two instances initially for high availability and add more as needed to achieve the desired transaction per second (TPS) rate. Khatim OCSP Server allows for an unlimited number of instances to be deployed. Consider deploying the OCSP server in both staging and disaster recovery (DR) zones.

What it takes to be a Trusted Service Provider (TSP) for OCSP?

To become a Trusted Service Provider (TSP) for OCSP, it is necessary to comply with several ETSI and IETF standards, which include:


ETSI EN 319 411-1 V1.3.1: This standard defines the policy and security requirements for Trust Service Providers issuing certificates. Part 1 of the standard outlines general requirements for electronic signatures and infrastructures.
RFC 6960: This document specifies the technical and security requirements for TSPs providing Online Certificate Status Protocol (OCSP) services.

How can we boost the performance of Khatim OCSP Server?

There are many factor which can boost the performance. This includes:


– Opting for ECDSA over RSA keys (Check with your HSM vendor too)
– 2048 bit RSA keys over 4096 bit
– 384 bit ECDSA key over 521 bit
– Deploying multiple load balanced servers instead of a single instance
– Deploying OCSP server near your client region with low network latency
– Using HSM for keys storage instead of software
– Using a PCI based HSM over network/cloud based HSM

There are already many OCSP servers in the market why choose Khatim OCSP server?

Choosing the right OCSP server could be difficult. In any case, follow the checklist to choose the right one:


– Does it provide quick installation and simple configuration?
– Does it provide the throughput you expect & scales quickly?
– Does it support RFC 6960, 5019 and PKCS#11 interfaces?
– Does it support RSA and ECDSA based encryption?
– Does it raise alerts in case of failures?
– Does the vendor provide quick support?
– Are all operations done securely?
– Does it fit your budget?

Can alerts to be pushed to a central logging system?

Khatim OCSP Server features an integrated logging system that records all incoming requests and responses, while also alerting administrators of any issues. Furthermore, secure notifications can be sent to central logging systems such as Splunk, Grafana, Greylog, LogRhythm, and others.

Which technology stack is used for time OCSP processing?

Khatim OCSP server is built with Java (OpenJDK) and Apache Tomcat, providing platform independence and allowing for easy deployment on multiple platforms such as Linux, Windows, and Mac.


Test drive Khatim OCSP Server and explore its powerful features.

Still not convinced?

All it takes few minutes to see Khatim OCSP Server into action!
Super Simple Installation

Khatim OCSP server boasts a hassle-free installation and configuration process that administrators find easy to use.

Blazing fast Performance

With proper configuration in a load-balanced environment, Khatim OCSP server offers lightning-fast OCSP.

Try for free

Want to witness the power of Khatim OCSP server firsthand? Sign up for our 30-day free trial today.