OCSP Stapling - Configuration and Performance

Improve the performance and privacy of your SSL connections.

OCSP (Online Certificate Status Protocol) allows browsers to check if an SSL certificate has been revoked. OCSP Stapling is an improvement that allows your server to provide this verification directly, improving both performance and privacy.

Without stapling, the browser must contact the certificate authority for each connection, adding latency and revealing your browsing habits to the CA. With stapling, the server includes the OCSP response in the SSL handshake.

MoniTao monitors your certificates and can detect SSL configuration issues, including OCSP-related problems.

What is OCSP Stapling?

Understanding how OCSP Stapling works:

  • Revocation checking: OCSP allows checking if a certificate has been revoked without downloading the entire CRL (Certificate Revocation List).
  • Stapling: the server periodically requests an OCSP response from the CA and "staples" it to each SSL handshake.
  • Signed response: the OCSP response is signed by the CA, so the browser can trust it even though it comes from the server.
  • Cache: the OCSP response is cached by the server (typically valid for several days), reducing requests to the CA.

Benefits of OCSP Stapling

Why enable OCSP Stapling:

  • Performance: eliminates the browser's round-trip to the CA, reducing SSL handshake latency.
  • Privacy: the CA no longer sees which sites your users visit, improving their privacy.
  • Reliability: if the CA's OCSP server is down, your visitors aren't impacted (the server uses its cached response).
  • Better SSL score: SSL Labs values OCSP Stapling in its scoring, contributing to a better grade.

Configuring OCSP Stapling

How to enable OCSP Stapling on your server:

  1. Check compatibility: ensure your server (Nginx 1.3.7+, Apache 2.3.3+) supports OCSP Stapling.
  2. Configure the certificate: you need the complete certificate with the intermediate chain.
  3. Enable in configuration: add OCSP Stapling directives to your server configuration.
  4. Test: verify stapling works with openssl or SSL Labs.

OCSP Stapling Configuration

Examples for Nginx and Apache:

# Nginx - OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /path/to/fullchain.pem;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

# Apache - OCSP Stapling
SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors Off

# Test OCSP Stapling
openssl s_client -connect yoursite.com:443 -status 2>/dev/null | grep -A 17 "OCSP response"

After enabling, verify with the openssl command that the OCSP response is included in the handshake.

Best Practices

Tips for OCSP Stapling:

  • Use the complete chain: the trusted_certificate file must contain intermediate certificates for verification to work.
  • Configure a resolver: Nginx needs a DNS resolver to contact the CA's OCSP server.
  • Monitor errors: check logs for OCSP retrieval failures that could indicate a problem.
  • Test regularly: use SSL Labs or testssl.sh to verify stapling remains active after configuration changes.

OCSP Stapling Checklist

  • Compatible server (Nginx 1.3.7+, Apache 2.3.3+)
  • Complete certificate chain configured
  • DNS resolver configured (Nginx)
  • Stapling enabled in configuration
  • openssl test shows OCSP Response
  • SSL Labs confirms "OCSP Stapling: Yes"

Frequently Asked Questions

Is OCSP Stapling mandatory?

No, but it's a good practice for performance and privacy. Most modern SSL configurations include it.

What happens if the CA doesn't respond?

The server uses its cached OCSP response as long as it's valid. If the cache expires, stapling becomes temporarily unavailable.

Does Let's Encrypt support OCSP Stapling?

Yes, Let's Encrypt provides OCSP responses and stapling works normally with their certificates.

Does OCSP Stapling impact server performance?

Impact is negligible. The server makes one OCSP request every few hours, not with each client connection.

How do I know if stapling is active on a site?

Use SSL Labs (ssllabs.com/ssltest) or the command openssl s_client -connect site.com:443 -status.

Does MoniTao check OCSP Stapling?

MoniTao monitors your SSL certificate validity. To specifically check OCSP Stapling, use SSL Labs.

Optimize Your SSL Connections

OCSP Stapling is a simple optimization that improves both performance and privacy of your SSL connections. Enabling it takes just a few minutes.

Combine OCSP Stapling with MoniTao for optimal SSL configuration: maximum performance and proactive certificate monitoring.

Useful Links

Ready to Sleep Soundly?

Start free, no credit card required.

Create My Account See pricing