>From ocserv(8) it is not clear to me if ocserv automatically picks up an update of the response file as generated by ocsptool. Checking the OCSP status from ocserv AFTER an response update from ocsptool suggests that a restart of ocserv is required: $ ocsptool --ask --load-cert=cert.pem --load-issuer=chain.pem --outfile ocsp.der ... Certificate Status: good This Update: Sat Jan 07 04:00:00 UTC 2017 Next Update: Sat Jan 14 04:00:00 UTC 2017 ... $ nc -cv vpn.domain 443 ... this update: Tue Jan 3 05:00:00 2017 next update: Tue Jan 10 05:00:00 2017 revocation: ... ocserv(8) also states that the response file needs to be replaced in an atomic way. If I'm not mistaken this means: 1.) Write output of ocsptool to a temp file; 2.) mv temp file to resonse file (as defined in ocserv.conf: ocsp-response) Any ideas maybe...or should I just restart ocserv? -- Bj?rn Ketelaars GPG key: 0x4F0E5F21