A valid SSL certificate signed by a trusted Certificate Authority is mandatory today for all websites. If your certificate has expired or has been revoked, browsers will not trust it anymore. Browsers use the Online Certificate Status Protocol (OCSP) to determine the validity of your SSL certificate. However, the original OCSP has a few shortcomings, which OCSP stapling technology successfully overcomes.
In this article, you will learn what OCSP stapling is, how it works, and why it matters in SSL management and infrastructure.
Table of Contents
- What Is OCSP?
- What Is OCSP Stapling?
- How OCSP Stapling Works
- What are the Advantages of OCSP Stapling?
- What Are the Limitations of OCSP Stapling?
- Which Browsers Support OCSP Stapling?
- How to Verify If Your Server Has OCSP Stapling Enabled?
- How to Enable OCSP Stapling?
What Is OCSP?
In simple terms, OCSP is a way for your device (mobile or desktop) to check if a digital certificate used by a website is still valid.
SSL certificates secure websites and online transactions by verifying their identity and encrypting the data exchanged between user browsers and site servers. However, all trusted certificates have an expiration date. Moreover, they can be revoked during critical security incidents and are no longer trusted.
That’s where OCSP comes in. When you visit a website using HTTPS, your browser will check with the website’s certificate authority (CA) to see if the certificate is still valid.
This process happens in the background, and if the certificate is no longer valid, your browser will display a warning message to alert you to potential security risks.
What Is OCSP Stapling?
OCSP stapling is a technology that improves the performance and security of the Online Certificate Status Protocol (OCSP) check that a web browser carries out to validate the website’s SSL certificate.
With OCSP stapling, the website’s server obtains the OCSP response from the certificate authority and “staples” it to the SSL certificate during the SSL handshake process. The stapled response is then sent to the browser along with the certificate, eliminating the need for the browser to perform a separate OCSP check.
What Is OCSP Must-Staple?
OCSP Must-Staple is a security extension that can be added to an SSL certificate to ensure the certificate’s status is checked every time a website is visited. When a certificate has OCSP Must-Staple enabled, the website’s server is required to get the client an OCSP staple whenever it receives an SSL certificate.
If the server can’t get a valid response while checking the certificate’s status, the website won’t load. This helps prevent attackers from using revoked certificates to impersonate websites or intercept sensitive data.
How Does OCSP Stapling Differ From CRLs?
OCSP stapling and Certificate Revocation Lists (CRLs) are used to check the revocation status of SSL certificates. However, they operate and impact the SSL handshake process differently.
Certificate Revocation Lists (CRLs) are repositories that contain a list of revoked certificates. When a client connects to a server via SSL, the server sends its digital certificate to the client.
The client then checks the certificate’s revocation status by downloading the CRL from the certificate issuer’s repository and comparing the certificate’s serial number with the list of revoked certificates. If the certificate is on the CRL, the client will reject the certificate and terminate the handshake.
OCSP stapling, on the other hand, is a mechanism that allows the server to provide a signed, time-stamped OCSP (Online Certificate Status Protocol) response along with its digital certificate during the certificate status request.
Since it already contains the certificate’s revocation status, the client needs to check just the OCSP responder directly provided by the server instead of downloading the CRL and verifying the cert’s status against the list of revoked certificates.
Why Does OCSP Stapling Matter?
When you access an HTTPS website, your browser checks the status of your digital certificate. To confirm your cert is still valid the browser uses OCSP to contact its issuer, i.e., the Certificate Authority. Since the CA is the only entity that holds crucial info about the SSL certificate, it must answer a large number of OCSP requests in real time, especially from websites with high traffic.
Financially, this is a cost-consuming practice for the CA, but the end-users are affected as well since multiple OCSP responses slow down the loading speed. With plain OCSP, browsers have to enquire about the certificate from the web server and the Certificate Authority. OCSP stapling simplifies the whole process.
How OCSP Stapling Works
As you already know, when a browser connects to a secure website, it must contact the certificate authority’s OCSP servers to check the validity of the SSL certificate. This process can delay the page loading time, as the browser has to wait for the OCSP server to respond.
OCSP stapling improves the OCSP protocol by letting the webserver instead of the browser query the CA on the status of the SSL certificate. When the web server contacts the SSL vendor, the CA delivers a highly secure digitally time-stamped response. Now, when the web server connects to a browser, it binds the signed time stamp with the SSL certificate, making the verification quicker. Instead of reaching the CA, the browser verifies the server’s time stamp, and since it forms a reliable CA, trusts the Certificate.
What are the Advantages of OCSP Stapling?
OCSP Stapling provides several advantages, but the main ones are enhanced security, improved performance, and lower network traffic.
- Enhanced security. OCSP stapling prevents security attacks that may occur due to revoked certificates. The stapled response ensures that the client has the most up-to-date certificate revocation status, reducing the risk of man-in-the-middle attacks and other certificate-based vulnerabilities.
- Improved performance. OCSP stapling improves performance by reducing the latency associated with certificate revocation checks. Instead of the client needing to query the CA’s OCSP server directly, the server can provide a stapled response in the SSL handshake, reducing round trips and speeding up the connection establishment.
- Lower network traffic. By eliminating the need to contact the CA’s OCSP server directly, OCSP stapling can significantly reduce network traffic and server load. This can help improve the website’s scalability and reliability, particularly during high-traffic periods.
What Are the Limitations of OCSP Stapling?
While OCSP stapling provides several benefits, it has limitations and potential drawbacks. Here are a few of them:
- Possible Security Risks. OCSP stapling involves sending sensitive information in clear text over the network, which can create potential security risks. For example, an attacker may be able to intercept and modify the stapled response, leading to a false sense of security for the client.
- Dependency on Certificate Authority. OCSP stapling requires the web server to obtain the stapled response from the certificate authority’s OCSP server. If the CA’s OCSP server is down or experiencing issues, the web server won’t provide a valid stapled response.
- Caching Issues. OCSP stapling responses are cached by clients and servers, which can create problems if the cache is not updated regularly. If a certificate is revoked after the stapling response is cached, the client may still trust the certificate until the cache is updated.
Which Browsers Support OCSP Stapling?
Most modern web browsers like Chrome, Firefox, Safari, and Microsoft Edge support OCSP stapling. However, some older or less commonly used browsers may not support it, or the level of support may vary depending on the specific version and configuration.
How to Verify If Your Server Has OCSP Stapling Enabled?
You can use an online tool or command-line utility like OpenSSL to test whether the server enabled OCSP stapling by default. The exact steps for doing this will depend on the type of server you’re using. In the next section, we provide instructions o how to check the OCSP stapling status and enable it on Windows, Apache, and Nginix.
How to Enable OCSP Stapling?
Below, we’ve provided instructions for enabling OCSP stapling on the ever-popular Windows, Apache, and Nginx servers.
Enable OCSP Stapling on Windows
OCSP stapling is enabled by default on Windows Server 2008 and later versions. If you’re running an earlier Windows Server release, enabling OCSP stapling is not possible. Please, update to Windows 2008 or later.
Enable OCSP Stapling on Apache
Apache supports OCSP stapling starting from Apache HTTPD Web Server 2.3.3+. If you don’t know which version you’re running, use the following commands:
Next, check if OCSP is enabled. Follow the steps below:
- In OpenSSL, enter the following command:
openssl.exe s_client -connect [yourdomain.com]:443 –status
If OCSP is enabled, you’ll receive the following response in the OCSP Response Data section: “OCSP Response Status: successful (0x0)”. If OCSP is not enabled, you will not see any OCSP response data. In this case, make sure your intermediate certificate is installed correctly.
- Verify if your Apache server has successfully connected to the OCSP server. Run the command below:
- To enable OCSP stapling, you need to edit the virtual host configuration file for your site (your-domain.com-ssl.conf) using the editor of your choice. The configuration file usually resides in the following directory: etc/apache2/sites-available/your-domain.com-ssl.conf
- Open the file and make the following changes:
- Add the following lines inside the <VirtualHost> tags:
- Add a line inside the tags which points to a trusted certificate chain file. This must contain the intermediate & root certificates in order:
- Add the following line outside the <VirtualHost> tags:
- Add the following lines inside the <VirtualHost> tags:
- Test your configuration:
- Restart the Apache server
Enable OCSP Stapling on NGINX
OCSP stapling is available on NGINX 13,7 or later. Check your NGINX web server version:
Use the following OpenSSL OCSP stapling command lines:
- Check if OCSP stapling is enabled. In OpenSSL, run the following command:
openssl s_client -connect [yourdomain.com]:443 –status
- If OCSP is enabled, the OCSP Response Data section should say:
“OCSP Response Status: successful (0x0)”
- If it is not enabled, you won’t see any OCSP Response Data. If you don’t receive confirmation that OCSP is enabled, use this troubleshooting guide.
- To enable OCSP stapling, first, edit the server block configuration file for your site (or nginx.conf if server blocks are not used):
Note: If you need to enable OCSP stapling on just one server block, it must be the “default_server”. If you need to enable it on several server blocks, it must be enabled on the ‘default_server’ first. Then it can be enabled on any other server block.
- Turn on OCSP stapling and enable the server to check OCSP stapling by adding two lines inside the server block:
- Indicate a trusted certificate chain file which contains the intermediate & root certificates in order:
- Check your configuration:
sudo service nginx configtest
- Restart NGINX
sudo service nginx reload
OCSP stapling is another useful addition to the ever-growing list of SSL/TLS extensions. As the web evolves, so does the certificate management technology. By including a digitally signed response in the initial handshake, the server avoids the need for clients to query the CA’s OCSP responder, which reduces latency and potential privacy concerns.
Save 10% on SSL Certificates when ordering today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10