Home/ Glossary/ OCSP Stapling

OCSP Stapling (OCSP Stapling)

Security Glossary - SSL/TLS

Definition: OCSP stapling is a technique where the web server fetches the OCSP response from the CA and includes (staples) it in the TLS handshake. This eliminates the need for the client to contact the CA separately, improving both performance and privacy while making revocation checking more reliable.

The Importance of OCSP Stapling

OCSP stapling solves the three main problems with traditional OCSP: privacy, performance, and reliability. With stapling, the browser never contacts the CA directly, so the CA cannot track which sites users visit. The OCSP response is delivered as part of the TLS handshake, saving a round trip to the CA's servers. And because the server caches the response, temporary CA outages do not affect revocation checking.

The server periodically fetches a fresh OCSP response (typically every few hours) and caches it. The response is signed by the CA, so it cannot be forged by the server. If the certificate has been revoked, the server will receive a "revoked" response and clients that enforce stapling will refuse to connect.

Enabling OCSP stapling is straightforward on most web servers (a few lines of configuration in Nginx or Apache) and provides a measurable performance improvement by reducing the number of external requests during the TLS handshake. It is considered a best practice for all HTTPS servers.

How to Check

An SSL checker reports whether OCSP stapling is enabled on your server. You can also test with the openssl command: openssl s_client -connect yourdomain.com:443 -status. Look for "OCSP Response Status: successful" in the output to confirm stapling is active.

Check SSL Certificate

OCSP Stapling FAQ

Does OCSP stapling work with Let's Encrypt?
Yes. Let's Encrypt certificates include OCSP responder URLs, and all major web servers support stapling. Nginx enables it with ssl_stapling on; and Apache with SSLUseStapling on.
What happens if the stapled OCSP response expires?
OCSP responses have a validity period (typically a few days). If the server fails to refresh its cached response before it expires, it will serve the TLS handshake without a stapled response, and the client falls back to direct OCSP checking or soft-fail behavior.

Related Concepts

Online Certificate Status Protocol SSL/TLS Certificate SSL/TLS Handshake TLS 1.3 Certificate Authority
Disclaimer: DomainOptic provides automated informational scans only. Results do not constitute professional security advice, compliance certification, or a guarantee of security. Always verify findings independently.