diff --git a/src/config/crypto.h b/src/config/crypto.h
index 8f885c554..1edcdce45 100644
--- a/src/config/crypto.h
+++ b/src/config/crypto.h
@@ -58,6 +58,14 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
  */
 #define CROSSCERT "http://ca.ipxe.org/auto"
 
+/** Perform OCSP checks when applicable
+ *
+ * Some CAs provide non-functional OCSP servers, and some clients are
+ * forced to operate on networks without access to the OCSP servers.
+ * Allow the user to explicitly disable the use of OCSP checks.
+ */
+#define OCSP_CHECK
+
 #include <config/named.h>
 #include NAMED_CONFIG(crypto.h)
 #include <config/local/crypto.h>
diff --git a/src/include/ipxe/ocsp.h b/src/include/ipxe/ocsp.h
index 9a6b3fe67..be0bddc50 100644
--- a/src/include/ipxe/ocsp.h
+++ b/src/include/ipxe/ocsp.h
@@ -14,6 +14,14 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
 #include <ipxe/asn1.h>
 #include <ipxe/x509.h>
 #include <ipxe/refcnt.h>
+#include <config/crypto.h>
+
+/* Allow OCSP to be disabled completely */
+#ifdef OCSP_CHECK
+#define OCSP_ENABLED 1
+#else
+#define OCSP_ENABLED 0
+#endif
 
 /** OCSP algorithm identifier */
 #define OCSP_ALGORITHM_IDENTIFIER( ... )				\
@@ -119,6 +127,10 @@ ocsp_put ( struct ocsp_check *ocsp ) {
  */
 static inline int ocsp_required ( struct x509_certificate *cert ) {
 
+	/* An OCSP check is never required if OCSP checks are disabled */
+	if ( ! OCSP_ENABLED )
+		return 0;
+
 	/* An OCSP check is required if an OCSP URI exists but the
 	 * OCSP status is not (yet) good.
 	 */