What is OCSP stapling and why should I enable it?

OCSP stapling lets your server fetch and cache the certificate revocation status from the CA, then "staple" it to the TLS handshake. Without stapling, each client must separately query the CA's OCSP responder, adding latency (100-500ms) and leaking browsing data to the CA. With stapling, the server provides the cached response, improving performance and protecting user privacy.

What is the difference between OCSP and OCSP stapling?

With regular OCSP, the client contacts the CA's OCSP responder to check if a certificate is revoked—adding latency and privacy concerns. With OCSP stapling, the server proactively fetches the OCSP response and includes it in the TLS handshake. The client verifies the signed response from the CA without making a separate network request. Same validation, better performance and privacy.

How do I enable OCSP stapling in Nginx?

Add to your server block: ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /path/to/fullchain.pem; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s;. The fullchain must include intermediate certificates. Test with: openssl s_client -connect domain.com:443 -status | grep -A 10 "OCSP Response". You should see "OCSP Response Status: successful".

How do I enable OCSP stapling in Apache?

Add to your VirtualHost or global config: SSLUseStapling On, SSLStaplingCache shmcb:/var/run/ocsp(128000). For Apache 2.4+, also add SSLStaplingResponderTimeout 5 and SSLStaplingReturnResponderErrors off. Ensure SSLCACertificateFile includes intermediates for verification. Restart Apache and test with openssl s_client.

Why is my OCSP stapling not working?

Common causes: 1. Missing resolver directive (Nginx) preventing OCSP responder lookup 2. Firewall blocking outbound connections to OCSP responder (usually port 80) 3. Missing intermediate certificates in ssl_trusted_certificate 4. OCSP responder URL not in certificate—check with openssl x509 -noout -ocsp_uri -in cert.pem 5. Server hasn't fetched first response yet (Nginx fetches on first request).

What is OCSP Must-Staple and should I use it?

OCSP Must-Staple is a certificate extension (1.3.6.1.5.5.7.1.24) that tells browsers to require OCSP stapling—connections fail if the server doesn't provide a stapled response. It prevents downgrade attacks where attackers block OCSP. Use cautiously: if stapling fails, your site becomes inaccessible. Only enable if you have robust stapling infrastructure and monitoring.

How often are OCSP responses refreshed?

OCSP responses have a validity period (nextUpdate field), typically 1-7 days depending on the CA. Servers should refresh responses before they expire. Nginx refreshes automatically when 50% of validity has passed. Apache's SSLStaplingStandardCacheTimeout controls caching. If your OCSP response expires and refresh fails, clients fall back to direct OCSP queries or soft-fail.

Does OCSP stapling work with Let's Encrypt certificates?

**Yes**, Let's Encrypt fully supports OCSP stapling. Their OCSP responder is at ocsp.int-x3.letsencrypt.org (varies by intermediate). Ensure your server can reach this URL on port 80. Let's Encrypt OCSP responses are valid for 7 days. Test stapling works after configuring your server.

What is soft-fail vs hard-fail for OCSP?

Soft-fail (default for most browsers) allows connections if OCSP response is unavailable—attackers could block OCSP to use revoked certificates. Hard-fail rejects connections without valid OCSP response—more secure but causes outages if OCSP responders are slow or unreachable. OCSP stapling with Must-Staple enables effective hard-fail without relying on external OCSP availability.

How do I test if OCSP stapling is working?

Use OpenSSL: echo | openssl s_client -connect domain.com:443 -status 2>/dev/null | grep -A 10 "OCSP Response". You should see "OCSP Response Status: successful (0x0)" followed by response details. If you see "OCSP response: no response sent", stapling isn't working. Also test with SSL Labs (ssllabs.com/ssltest) which reports stapling status.

Does OCSP stapling work with CDNs and load balancers?

Most CDNs (Cloudflare, AWS CloudFront, Fastly) handle OCSP stapling automatically—you don't need to configure anything. For load balancers terminating TLS (AWS ALB, HAProxy, F5), configure stapling on the load balancer, not backend servers. If using passthrough TLS, configure stapling on origin servers. Always verify stapling works after CDN/LB deployment.

OCSP Stapling: Implementation Guide for Faster Certificate Validation

OCSP stapling improves TLS performance and protects user privacy by eliminating the need for clients to separately verify certificate revocation status. This guide covers implementation across major web servers.

How OCSP Stapling Works

┌─────────────────────────────────────────────────────────────────┐
│                WITHOUT OCSP STAPLING                            │
├─────────────────────────────────────────────────────────────────┤
│                                                                 │
│  ┌──────────┐        TLS         ┌──────────┐                  │
│  │  Client  │ ◄────────────────► │  Server  │                  │
│  └────┬─────┘                    └──────────┘                  │
│       │                                                         │
│       │  Is this cert revoked?                                  │
│       │  (+100-500ms latency)                                   │
│       ▼                                                         │
│  ┌────────────┐                                                 │
│  │    CA      │  ← Privacy leak: CA sees every site you visit  │
│  │   OCSP     │                                                 │
│  │ Responder  │                                                 │
│  └────────────┘                                                 │
│                                                                 │
├─────────────────────────────────────────────────────────────────┤
│                  WITH OCSP STAPLING                             │
├─────────────────────────────────────────────────────────────────┤
│                                                                 │
│  ┌────────────┐   Periodic fetch   ┌──────────┐                │
│  │    CA      │ ◄─────────────────►│  Server  │                │
│  │   OCSP     │   (every few hrs)  │  (cache) │                │
│  │ Responder  │                    └────┬─────┘                │
│  └────────────┘                         │                       │
│                                         │                       │
│  ┌──────────┐    TLS + stapled     ┌────┴─────┐                │
│  │  Client  │ ◄─────OCSP resp─────►│  Server  │                │
│  └──────────┘    (no extra RTT)    └──────────┘                │
│                                                                 │
│  Benefits:                                                      │
│  ✓ No latency (response already in handshake)                  │
│  ✓ Privacy (CA doesn't see client IP/sites)                    │
│  ✓ Reliability (doesn't depend on CA availability)             │
│                                                                 │
└─────────────────────────────────────────────────────────────────┘

Nginx Configuration

Basic Setup

server {
    listen 443 ssl http2;
    server_name example.com;

    ssl_certificate /etc/nginx/ssl/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/privkey.pem;

    # Enable OCSP Stapling
    ssl_stapling on;
    ssl_stapling_verify on;

    # Trusted certificate for OCSP verification (include intermediates)
    ssl_trusted_certificate /etc/nginx/ssl/fullchain.pem;

    # DNS resolver for OCSP responder lookup
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
}

With Local OCSP Response File (Advanced)

# Pre-fetch OCSP response for faster startup
ssl_stapling_file /etc/nginx/ssl/ocsp.der;

# Generate with:
# openssl ocsp -issuer intermediate.pem -cert server.pem \
#   -url http://ocsp.ca.com -respout ocsp.der

Apache Configuration

Apache 2.4+

# Global configuration (outside VirtualHost)
SSLStaplingCache shmcb:/var/run/apache2/ocsp(128000)

<VirtualHost *:443>
    ServerName example.com

    SSLEngine on
    SSLCertificateFile /etc/apache2/ssl/server.crt
    SSLCertificateKeyFile /etc/apache2/ssl/server.key
    SSLCertificateChainFile /etc/apache2/ssl/chain.crt

    # Enable OCSP Stapling
    SSLUseStapling On
    SSLStaplingResponderTimeout 5
    SSLStaplingReturnResponderErrors Off

    # Optional: Force specific OCSP responder
    # SSLStaplingForceURL http://ocsp.ca.com
</VirtualHost>

HAProxy Configuration

global
    # OCSP update script runs periodically
    # haproxy doesn't fetch automatically

frontend https
    bind *:443 ssl crt /etc/haproxy/certs/combined.pem
    # Combined PEM must include OCSP response

# Update OCSP with script:
# openssl ocsp -issuer chain.pem -cert server.pem \
#   -url http://ocsp.ca.com -respout /etc/haproxy/certs/server.ocsp
# cat server.pem chain.pem server.ocsp > combined.pem
# systemctl reload haproxy

Testing OCSP Stapling

OpenSSL Test

# Check if stapling is working
echo | openssl s_client -connect example.com:443 -status 2>/dev/null | grep -A 20 "OCSP Response"

# Expected output:
# OCSP Response Data:
#     OCSP Response Status: successful (0x0)
#     Response Type: Basic OCSP Response
#     ...
#     Cert Status: good
#     This Update: Jan 10 00:00:00 2025 GMT
#     Next Update: Jan 17 00:00:00 2025 GMT

# If not working, you'll see:
# OCSP response: no response sent

Extract OCSP Responder URL

# Find OCSP responder URL from certificate
openssl x509 -in server.crt -noout -ocsp_uri
# Output: http://ocsp.digicert.com

# Test OCSP responder directly
openssl ocsp -issuer chain.pem -cert server.pem \
  -url http://ocsp.digicert.com -resp_text

Symptom	Cause	Solution
"no response sent"	Server hasn't fetched OCSP yet	Wait for first request, or pre-fetch
"OCSP response: responder error"	CA responder issues	Check CA status, retry later
Nginx won't start	Missing resolver	Add `resolver` directive
Response expired	Refresh failed	Check firewall, DNS resolution

Debug Commands

# Check OCSP responder is reachable
curl -I http://ocsp.digicert.com

# Manual OCSP query
openssl ocsp -issuer chain.pem -cert server.pem \
  -url http://ocsp.digicert.com -noverify

# Check response validity period
openssl ocsp -issuer chain.pem -cert server.pem \
  -url http://ocsp.digicert.com -resp_text | grep -E "This Update|Next Update"

Nginx Specific

# Check Nginx can resolve OCSP responder
nginx -t  # Should show no errors

# Force OCSP fetch (trigger with request)
curl -I https://example.com

# Check Nginx error log
tail -f /var/log/nginx/error.log | grep -i ocsp

OCSP Must-Staple

For maximum security, consider OCSP Must-Staple (use with caution):

Generate CSR with Must-Staple

# Add extension to CSR
openssl req -new -key server.key -out server.csr \
  -config <(cat /etc/ssl/openssl.cnf \
    <(printf "\n[must_staple]\ntlsfeature = status_request"))

Verify Certificate Has Must-Staple

openssl x509 -in server.crt -noout -text | grep -A 1 "TLS Feature"
# Should show: status_request

Warning: With Must-Staple, if OCSP stapling fails, browsers will reject the connection entirely. Only enable if you have:

Reliable OCSP stapling infrastructure
Monitoring for stapling failures
Fast incident response capability

Performance Impact

Scenario	Latency Impact
No OCSP checking	0ms (insecure)
OCSP stapling	0ms (server pre-fetches)
Client OCSP query	+100-500ms per connection
OCSP soft-fail	0ms if responder slow

Best Practices

Always enable stapling - No downside, improves performance and privacy
Include full certificate chain - OCSP verification needs intermediate certs
Configure DNS resolver - Nginx needs this to find OCSP responder
Monitor stapling status - Alert if stapling stops working
Consider Must-Staple carefully - Stronger security but higher risk
Allow outbound port 80 - OCSP responders typically use HTTP
Test after changes - Verify stapling works in production

Next Steps

TLS Configuration Hardening - Complete TLS security setup
Certificate Revocation - Incident response procedures
TLS Certificate Complete Guide - Comprehensive certificate management

OCSP Stapling: Implementation Guide for Faster Certificate Validation

How OCSP Stapling Works

Nginx Configuration

Basic Setup

With Local OCSP Response File (Advanced)

Apache Configuration

Apache 2.4+

HAProxy Configuration

Testing OCSP Stapling

OpenSSL Test

Extract OCSP Responder URL

SSL Labs Test

Troubleshooting

Common Issues

Debug Commands

Nginx Specific

OCSP Must-Staple

Generate CSR with Must-Staple

Verify Certificate Has Must-Staple

Performance Impact

Best Practices

Next Steps

Frequently Asked Questions

Don't wait for a breach to act

SSL Checker

X.509 Certificate Decoder

SSL/TLS Certificate Lifecycle Management: Complete Guide to Certificate Operations

TLS Configuration Hardening: Cipher Suites, Protocols, and Security Headers

How to Fix SSL Certificate Chain Issues

SSL/TLS Certificate Revocation & Incident Response: Emergency Procedures and Recovery

Formal Security Models Explained: Bell-LaPadula, Biba, Clark-Wilson, and Beyond

Biometric Authentication: Understanding FAR, FRR, and CER for Security Professionals

OCSP Stapling: Implementation Guide for Faster Certificate Validation

Frequently Asked Questions

Don't wait for a breach to act

Related Tools

SSL Checker

X.509 Certificate Decoder

Related Articles

SSL/TLS Certificate Lifecycle Management: Complete Guide to Certificate Operations

TLS Configuration Hardening: Cipher Suites, Protocols, and Security Headers

How to Fix SSL Certificate Chain Issues

SSL/TLS Certificate Revocation & Incident Response: Emergency Procedures and Recovery

Formal Security Models Explained: Bell-LaPadula, Biba, Clark-Wilson, and Beyond

Biometric Authentication: Understanding FAR, FRR, and CER for Security Professionals