OCSP stapling is a mechanism for checking the validity of SSL/TLS certificates — it’s also an acronym that is amongst the easiest to mix up in tech. Seriously, at some point in this explanation, you’ll likely see OCSP or some jumbled attempt at OCSP stapling, and for this I apologize and blame it on acronym-induced dyslexia. (A quick aside: Giving a group of people a name for their disorder that their disorder will make even more difficult to spell seems exceedingly cruel. I’ve never asked a dyslexic person to spell dyslexia, but I can’t imagine it going well if I did.)
Anyway, Back to Certificate Validity and OCSP Stapling.
Generally, when stapling is not employed, one of the calls the client has to make when it’s authenticating a website’s SSL certificate is to the issuing CA’s servers. But what is OCSP? OCSP stands for Online Certificate Status Protocol. It’s useful, but it’s also an extra call that needs to be made, which slows how quickly the website loads and is slightly more taxing on the client.
When you practice OCSP stapling, the server hosting the website and the SSL certificate downloads a copy of the issuing CA’s OCSP response and issues it directly to the client. This saves time and improves performance.
How OCSP Stapling Works
Now that you know the answer to your question “what is OCSP?” we can tell you about how OSCP stapling works. Let’s break it down:
- The web server hosting the SSL certificate sends a query to the issuing CA’s server.
- The issuing CA’s server responds with the OCSP status and a timestamp.
- From this point, whenever a client connects the server staples the OCSP response to the certificate when it’s presented during the handshake.
- The client verifies the signature on the timestamp to ensure it came from the issuing CA.
Provided everything checks out, the connection continues unabated. If there’s an issue, the client’s browser issues an error message.
Benefits of OCSP Stapling
The biggest benefit of OCSP is simply performance. Speed. The handshake is a process that can add a lot of latency to connections. A lot has been done over the years to reduce the handshake — TLS 1.3 has it down to a single roundtrip — but there’s only so much that can be done to shrink the authentication portion of the process. That’s governed by the baseline requirements and is considered sacrosanct.
But OCSP stapling can help speed up the authentication process by reducing the number of queries the client has to make when checking validity.
That makes pages load quicker and customers happier. Especially at the enterprise level, at scale, this can be a huge performance boost.
How Do I Start OCSP Stapling?
The good news is OCSP stapling is enabled by default on IIS servers. It’s also supported by most browsers and servers, even if it requires some extra configuration.
For instance, on Apache, you need to add an SSLStaplingCache directive to define where the responses will be stored. Your server’s manufacturer should have documentation on enabling OCSP stapling.
And you should find it. And then do that.
You’ll be happy you did.