Problem

The OCSP Client filter doesn't list an 'expired' status, so how does it behave when given an expired certificate?

Resolution

The OCSP protocol itself does not provide for expiration checking. If a certificate is not on the CRL, the OCSP server itself will return a 'good' status. That said, the OCSP Client filter in API Gateway does check the expiration date on the certificate. If the OCSP Client filter detects that the certificate is expired, it will not make an OCSP query against your responder, it will simply follow the failure path and the ocsp.response.certificate.status property will not be generated because no OCSP request was ever generated.