Amazon CloudFront announces support for OCSP Revocation for Mutual TLS (Viewer)
Amazon CloudFront now supports Online Certificate Status Protocol (OCSP) revocation checking for viewer mTLS, enabling you to validate client certificate revocation status in real time during connection establishment. This enables customers using mutual TLS (mTLS) on CloudFront to verify that client certificates haven't been revoked before accepting connections—a common requirement for regulated industries and zero-trust architectures.
Previously, customers implemented certificate revocation using CloudFront Functions and KeyValueStore, maintaining static revocation lists that were only as current as the last manual update. With OCSP, CloudFront queries the responder URL embedded in the client certificate at connection time, validating revocation status directly with the issuing Certificate Authority. CloudFront caches OCSP responses for up to 30 minutes to minimize latency impact on subsequent connections. The OCSP result is exposed in the connection function, enabling customers to implement custom logic—such as grace periods for certificate rotation, IP-based exceptions, or combining OCSP with their own revocation lists.
OCSP revocation checking for viewer mTLS is available at no additional cost. To learn more, refer to the documentation for CloudFront Mutual TLS (Viewer).