OCSP stapling improves TLS performance and protects user privacy by eliminating the need for clients to separately verify certificate revocation status. This guide covers implementation across major web servers.
How OCSP Stapling Works
┌─────────────────────────────────────────────────────────────────┐
│ WITHOUT OCSP STAPLING │
├─────────────────────────────────────────────────────────────────┤
│ │
│ ┌──────────┐ TLS ┌──────────┐ │
│ │ Client │ ◄────────────────► │ Server │ │
│ └────┬─────┘ └──────────┘ │
│ │ │
│ │ Is this cert revoked? │
│ │ (+100-500ms latency) │
│ ▼ │
│ ┌────────────┐ │
│ │ CA │ ← Privacy leak: CA sees every site you visit │
│ │ OCSP │ │
│ │ Responder │ │
│ └────────────┘ │
│ │
├─────────────────────────────────────────────────────────────────┤
│ WITH OCSP STAPLING │
├─────────────────────────────────────────────────────────────────┤
│ │
│ ┌────────────┐ Periodic fetch ┌──────────┐ │
│ │ CA │ ◄─────────────────►│ Server │ │
│ │ OCSP │ (every few hrs) │ (cache) │ │
│ │ Responder │ └────┬─────┘ │
│ └────────────┘ │ │
│ │ │
│ ┌──────────┐ TLS + stapled ┌────┴─────┐ │
│ │ Client │ ◄─────OCSP resp─────►│ Server │ │
│ └──────────┘ (no extra RTT) └──────────┘ │
│ │
│ Benefits: │
│ ✓ No latency (response already in handshake) │
│ ✓ Privacy (CA doesn't see client IP/sites) │
│ ✓ Reliability (doesn't depend on CA availability) │
│ │
└─────────────────────────────────────────────────────────────────┘
Nginx Configuration
Basic Setup
server {
listen 443 ssl http2;
server_name example.com;
ssl_certificate /etc/nginx/ssl/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/privkey.pem;
# Enable OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
# Trusted certificate for OCSP verification (include intermediates)
ssl_trusted_certificate /etc/nginx/ssl/fullchain.pem;
# DNS resolver for OCSP responder lookup
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
}
With Local OCSP Response File (Advanced)
# Pre-fetch OCSP response for faster startup
ssl_stapling_file /etc/nginx/ssl/ocsp.der;
# Generate with:
# openssl ocsp -issuer intermediate.pem -cert server.pem \
# -url http://ocsp.ca.com -respout ocsp.der
Apache Configuration
Apache 2.4+
# Global configuration (outside VirtualHost)
SSLStaplingCache shmcb:/var/run/apache2/ocsp(128000)
<VirtualHost *:443>
ServerName example.com
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key
SSLCertificateChainFile /etc/apache2/ssl/chain.crt
# Enable OCSP Stapling
SSLUseStapling On
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors Off
# Optional: Force specific OCSP responder
# SSLStaplingForceURL http://ocsp.ca.com
</VirtualHost>
HAProxy Configuration
global
# OCSP update script runs periodically
# haproxy doesn't fetch automatically
frontend https
bind *:443 ssl crt /etc/haproxy/certs/combined.pem
# Combined PEM must include OCSP response
# Update OCSP with script:
# openssl ocsp -issuer chain.pem -cert server.pem \
# -url http://ocsp.ca.com -respout /etc/haproxy/certs/server.ocsp
# cat server.pem chain.pem server.ocsp > combined.pem
# systemctl reload haproxy
Testing OCSP Stapling
OpenSSL Test
# Check if stapling is working
echo | openssl s_client -connect example.com:443 -status 2>/dev/null | grep -A 20 "OCSP Response"
# Expected output:
# OCSP Response Data:
# OCSP Response Status: successful (0x0)
# Response Type: Basic OCSP Response
# ...
# Cert Status: good
# This Update: Jan 10 00:00:00 2025 GMT
# Next Update: Jan 17 00:00:00 2025 GMT
# If not working, you'll see:
# OCSP response: no response sent
Extract OCSP Responder URL
# Find OCSP responder URL from certificate
openssl x509 -in server.crt -noout -ocsp_uri
# Output: http://ocsp.digicert.com
# Test OCSP responder directly
openssl ocsp -issuer chain.pem -cert server.pem \
-url http://ocsp.digicert.com -resp_text
SSL Labs Test
Visit https://www.ssllabs.com/ssltest/ and check the "OCSP Stapling" field in the results. It should show "Yes" with response details.
Troubleshooting
Common Issues
| Symptom | Cause | Solution |
|---|---|---|
| "no response sent" | Server hasn't fetched OCSP yet | Wait for first request, or pre-fetch |
| "OCSP response: responder error" | CA responder issues | Check CA status, retry later |
| Nginx won't start | Missing resolver | Add resolver directive |
| Response expired | Refresh failed | Check firewall, DNS resolution |
Debug Commands
# Check OCSP responder is reachable
curl -I http://ocsp.digicert.com
# Manual OCSP query
openssl ocsp -issuer chain.pem -cert server.pem \
-url http://ocsp.digicert.com -noverify
# Check response validity period
openssl ocsp -issuer chain.pem -cert server.pem \
-url http://ocsp.digicert.com -resp_text | grep -E "This Update|Next Update"
Nginx Specific
# Check Nginx can resolve OCSP responder
nginx -t # Should show no errors
# Force OCSP fetch (trigger with request)
curl -I https://example.com
# Check Nginx error log
tail -f /var/log/nginx/error.log | grep -i ocsp
OCSP Must-Staple
For maximum security, consider OCSP Must-Staple (use with caution):
Generate CSR with Must-Staple
# Add extension to CSR
openssl req -new -key server.key -out server.csr \
-config <(cat /etc/ssl/openssl.cnf \
<(printf "\n[must_staple]\ntlsfeature = status_request"))
Verify Certificate Has Must-Staple
openssl x509 -in server.crt -noout -text | grep -A 1 "TLS Feature"
# Should show: status_request
Warning: With Must-Staple, if OCSP stapling fails, browsers will reject the connection entirely. Only enable if you have:
- Reliable OCSP stapling infrastructure
- Monitoring for stapling failures
- Fast incident response capability
Performance Impact
| Scenario | Latency Impact |
|---|---|
| No OCSP checking | 0ms (insecure) |
| OCSP stapling | 0ms (server pre-fetches) |
| Client OCSP query | +100-500ms per connection |
| OCSP soft-fail | 0ms if responder slow |
Best Practices
- Always enable stapling - No downside, improves performance and privacy
- Include full certificate chain - OCSP verification needs intermediate certs
- Configure DNS resolver - Nginx needs this to find OCSP responder
- Monitor stapling status - Alert if stapling stops working
- Consider Must-Staple carefully - Stronger security but higher risk
- Allow outbound port 80 - OCSP responders typically use HTTP
- Test after changes - Verify stapling works in production
Next Steps
- TLS Configuration Hardening - Complete TLS security setup
- Certificate Revocation - Incident response procedures
- TLS Certificate Complete Guide - Comprehensive certificate management
