Home Icon > Resources > Expert Guides > SSL/TLS Best Practices > What Is OCSP Stapling and How Does It Work?

What Is OCSP Stapling and How Does It Work?

OCSP stapling is a performance-enhancing and privacy-protecting extension to the online certificate status protocol (OCSP). Basically, its job is to streamline validating an SSL/TLS certificate’s revocation status. Without OCSP stapling, browsers directly contact the certificate authority (CA) to verify the certificate’s status — a process that introduces latency and results in potential privacy issues. 

When OCSP stapling is enabled, the server attaches (or “staples”) a signed response from the CA to the SSL/TLS handshake, eliminating the need for browsers to query the CA. If misconfigured, users may see browser security warnings (like the one below) due to certificate revocation check failures, which leave businesses and customers at risk.  

OCSP stapling aticle graphic: An example of the type of error message users will see when visiting your website if its SSL/TLS certificate is expired.

Now that we’ve answered the question “what is OCSP stapling?” it’s time to answer what you really came here to learn: “how does OCSP stapling work?” 

How OCSP Stapling Works 

  1. The web server periodically fetches the OCSP response from the CA’s responder. (This is what indicates whether a certificate’s status is valid, revoked, or listed as “unknown.”)
  2. It caches the response locally. This ensures the data is readily available to quickly whip out as needed.
  3. During the SSL/TLS handshake, the server includes the cached OCSP response in the handshake packet. 
  4. The browser verifies the stapled OCSP response instead of contacting the CA directly. 

Here’s a quick overview of what this process looks like: 

A graphic that answers the question "how does OCSP stapling work as part of the overarching SSL/TLS handshake?"

This approach of using cached OCSP data reduces response time, preserves privacy, and improves reliability. 

Benefits of OCSP Stapling 

  • Improved Performance: Eliminates round-trip delays by eliminating the client’s need to contact the CA, which must fetch certificate info from the OCSP responder. 
  • Better Privacy: Prevents user IP addresses from being exposed to third-party CAs. 
  • Error Mitigation: Reduces chances of certificate revocation errors or page load failures. 

How to Check OCSP Stapling Is Enabled Using CertPanel SSL Monitor 

SSL Monitor is a feature of the CertPanel automated security platform that simplifies OCSP stapling verification:  

  1. Log in to CertPanel and open SSL Monitor
  2. Run a scan on your domain (e.g., testroot.net). 
  3. Check the scan results under Certificate Information
  4. The OCSP Stapling field will show whether its enabled. If it’s not, this tool will provide additional details (including guidance on how to resolve the issue).

How to Enable OCSP Stapling on Servers 

Windows Server 2022 / IIS 

  1. Open IIS Manager > Site > SSL Settings
  2. In Bindings, confirm HTTPS is selected with a valid certificate. 
  3. Click Edit and uncheck Disable OCSP Stapling
  4. Run iisreset /restart in Command Prompt and hit Enter

Apache 

There may be a few small changes to the following steps based on which distribution and Apache version you’re using. For example, your configuration file may be stored at a different file path for Ubuntu than it would be for other distros, such as CentOS or Red Hat Enterprise Linux (RHEL).

  1. Open the Apache SSL configuration file on Ubuntu 22.04 using the following command: 
sudo vim /etc/apache2/sites-available/default-ssl.conf 

For CentOS, RHEL, or Rocky Linux, you must change the file path to /etc/httpd/conf.d/ssl.conf

  1. Add the following configurations within the <VirtualHost> or <VirtualHost *:443> block: 
# Enable SSL & OCSP stapling 
SSLEngine on 
SSLUseStapling on 

# Configure Stapling Options 
SSLStaplingResponderTimeout 5 

# Specify bundle or full certificate chain (Root, Intermediate, and Server) 
SSLCertificateChainFile /etc/ssl/certs/My_CA_Bundle.ca-bundle
  1. Specify the OCSP cache type, cached response location, and cache size outside the <VirtualHost> or <VirtualHost *:443> block. For example, you could use something similar to this for Ubuntu: 
SSLStaplingCache shmcb:/var/run/ocsp(128000) 

Note: Apache requires both SSLUseStapling on and SSLStaplingCache for OCSP stapling to work correctly. If the cache directive is missing, stapling won’t function even if it’s enabled. 

Optional (but recommended) directives include: 

  • SSLStaplingResponderTimeout: Defines timeout for the CA’s OCSP response. 
  • SSLStaplingReturnResponderErrors: Passes OCSP responder errors to clients for better visibility. 
  • SSLCertificateChainFile: Ensures a complete certificate chain is presented (particularly important for intermediate certificates). 

For CentOS, RHEL, or Rocky Linux users, your command would vary slightly by referencing httpd in place of the apache2 in the file path.

  1. Save the file and restart Apache: 
sudo systemctl restart apache2 

NGINX 

These NGINX directions may vary based on your server’s Linux version and distro.

  1. Open the NGINX configuration file using the following command:
sudo vim /etc/nginx/conf.d/testroot.conf 
  1. Add the following directives inside your server block: 
# Enable and verify OCSP stapling 
ssl_stapling on; 
ssl_stapling_verify on; 

# Configure DNS resolvers for OCSP 
resolver 8.8.8.8 8.8.4.4 valid=300s; 
resolver_timeout 10s;

# Provide the full certificate chain to clients (server cert + intermediate) 
ssl_certificate /etc/ssl/certs/fullchain.crt; 
ssl_certificate_key /etc/ssl/private/PRIVATEKEY.key; 

# Required for proper OCSP stapling verification 
ssl_trusted_certificate /etc/ssl/certs/My_CA_Bundle.ca-bundle;
  1. Generating fullchain.crt

The fullchain.crt is a single file combining your server certificate with the CA intermediate certificates provided by your SSL issuer (e.g., Sectigo/Comodo). 

To generate it, run the following command: 

sudo cat /path/to/your_server_certificate.crt /path/to/CA_bundle.ca-bundle > /etc/ssl/certs/fullchain.crt

For example, your command may look something like this:

sudo cat /etc/ssl/certs/ocsp_testroot_net.crt /etc/ssl/certs/My_CA_Bundle.ca-bundle > /etc/ssl/certs/fullchain.crt

Why This Is Important 

A complete certificate chain ensures trust validation by browsers and prevents “incomplete chain” warnings during scans. 

  1. Restart NGINX: 
sudo systemctl restart nginx 

Troubleshooting OCSP Stapling 

  • Incomplete Certificate Chain: Ensure chain.pem file includes all intermediate certificates. 
  • Firewall Restrictions: You must configure your firewall to allow the server access to the CA’s OCSP responder URL. 
  • Expired OCSP Response: Make sure the server is configured to refresh the response before expiry. Otherwise, some clients may fail the connection if the OCSP response is old. 

Final Words on OCSP Stapling

OCSP stapling boosts SSL/TLS performance and privacy while minimizing revocation-related errors. CertPanel’s SSL Monitor helps you validate and maintain your OCSP stapling status and configurations with ease, ensuring secure and responsive web experiences for users.