Thanks for the summary @hoelska , really helpful. As noted by @Elephant Head Software, looking at the implementation of the official library we can find a comment indicating that "We don't include the root cert in the path, due to OCSP not being supported", also the code discards the root (3rd) certificate. If I get it correctly it means that there is not point to check for online revocation ?

Responding to my own comment. For some reasons in Sandbox when a refund or declined refund are tested : Your Backend will immediately get a DID_CHANGE_RENEWAL_STATUS notification It's only ~1 hour later that it will also get the REFUND or REFUND_DECLINED notification Hope this helps.