OCSP Stapling: Faster Revocation Checks
Learn what OCSP stapling is, how it speeds up certificate revocation checks, and when it matters for HTTPS performance and security.
Introduction
OCSP, or Online Certificate Status Protocol, lets clients check whether an SSL/TLS certificate has been revoked before it expires. OCSP stapling improves this process by allowing the web server to attach a recent certificate status response during the TLS handshake.
Without stapling, a browser may need to contact the certificate authority’s OCSP responder separately. With stapling, the server provides the revocation status directly, which can reduce extra network requests and improve privacy.
Quick answer
OCSP stapling lets a web server include a fresh certificate revocation status response during the TLS handshake. It can reduce browser-side OCSP lookups, improve performance and reduce privacy leakage. It is useful, but it is an optimization rather than the first SSL issue to fix.
What is OCSP?
OCSP stands for Online Certificate Status Protocol. It is used to check whether an SSL/TLS certificate has been revoked before its normal expiration date.
- The private key was compromised
- The certificate was issued incorrectly
- The domain owner requested revocation
- The certificate authority found a problem
- The certificate should no longer be trusted
OCSP is about certificate status. It is different from certificate expiration, hostname matching or certificate chain validation.
OCSP stapling
OCSP stapling allows the server to fetch a signed OCSP response from the certificate authority and “staple” it to the TLS handshake. The browser can then verify the stapled response without making a separate request to the CA’s OCSP server.
Browser → Website
Browser → CA OCSP responder
Browser → Website, and website includes OCSP status
The stapled OCSP response must be fresh and valid.
Why it exists
OCSP stapling exists to make certificate revocation checks more efficient.
- Fewer extra browser requests
- Faster TLS handshake in some cases
- Less dependency on CA OCSP responder availability
- Improved user privacy
- Cleaner SSL/TLS security scans
- Better behavior for high-traffic HTTPS sites
OCSP stapling does not replace a valid certificate, correct hostname coverage or a complete certificate chain.
Privacy
Without stapling, a browser may contact the certificate authority’s OCSP responder to ask about the certificate status. This can reveal that a user is visiting a particular certificate or site.
With stapling, the server provides the OCSP response directly, so the browser usually does not need to contact the CA for that check.
This is one reason OCSP stapling is often considered a privacy and performance improvement.
When it matters
High-traffic websites
Can reduce extra client-side revocation lookups.
Security-sensitive sites
Useful for cleaner TLS posture.
Performance-sensitive sites
Can reduce extra latency in some scenarios.
Enterprise or compliance scans
May be flagged as recommended by SSL audit tools.
CDN and proxy setups
May be handled at the CDN edge instead of the origin server.
For small websites, OCSP stapling is useful but usually less urgent than fixing expired certificates, hostname mismatch, weak TLS versions or redirect issues.
Why this matters
OCSP stapling matters because certificate revocation is part of HTTPS trust. A certificate can be technically unexpired but still revoked. Stapling helps browsers receive revocation status more efficiently during the TLS handshake.
However, OCSP stapling is not a cure-all. It will not fix an invalid certificate, expired certificate, wrong hostname, incomplete chain or mixed content.
How to check OCSP
Use SSL Checker or OpenSSL to check whether the server sends a stapled OCSP response.
When checking OCSP stapling, review
These six checks help confirm stapling is working correctly.
Stapling status
Confirm whether a stapled OCSP response is present.
Response freshness
Check whether the OCSP response is current and valid.
Certificate chain
Confirm the certificate chain is complete.
CDN behavior
Check the public hostname, especially if a CDN or proxy is used.
Origin behavior
If needed, check the origin server separately.
Server logs
Review web server logs if stapling fails to fetch OCSP responses.
Check OCSP stapling
Use SSL Checker to inspect certificate status, chain and OCSP stapling support.
Common problems
OCSP stapling not enabled
LowThe server does not include a stapled OCSP response.
Next step: Enable OCSP stapling in the web server, hosting panel or CDN if supported.
OCSP response expired
MediumThe stapled response is present but no longer fresh.
Next step: Check server OCSP cache, resolver access and renewal behavior.
Server cannot reach OCSP responder
MediumThe web server cannot fetch revocation status from the certificate authority.
Next step: Check outbound firewall, DNS resolution and CA responder connectivity.
Incomplete certificate chain
MediumOCSP stapling may fail if the server cannot build the correct issuer chain.
Next step: Install the full certificate chain.
CDN handles stapling differently
LowThe CDN edge may provide OCSP stapling even if the origin does not, or the reverse.
Next step: Check the public CDN hostname and origin separately if needed.
Stapling enabled but not visible
MediumThe server configuration may be incomplete or not reloaded.
Next step: Reload the web server and re-test externally.
Confusing OCSP with renewal
LowOCSP stapling checks revocation status, not certificate renewal.
Next step: Check certificate expiry separately with SSL Checker.
How to enable it
-
Step 1: Confirm certificate and chain are valid
Fix certificate expiry, hostname mismatch and incomplete chain before focusing on OCSP stapling.
-
Step 2: Identify where HTTPS terminates
Check whether TLS is served by hosting, Nginx, Apache, LiteSpeed, CDN, reverse proxy or load balancer.
-
Step 3: Enable OCSP stapling where supported
Use your web server, hosting panel or CDN SSL/TLS settings.
-
Step 4: Allow outbound OCSP access
Make sure the server can resolve DNS and reach the certificate authority’s OCSP responder.
-
Step 5: Reload the service
Reload Nginx, Apache, LiteSpeed, CDN configuration or proxy service after changes.
-
Step 6: Re-test externally
Use SSL Checker or OpenSSL to confirm a stapled OCSP response is present.
-
Step 7: Monitor renewal and chain changes
After certificate renewal, confirm OCSP stapling still works.
Before enabling
Confirm these items before turning on OCSP stapling.
Certificate is valid
Expiry and hostname are correct.
Hostname matches
Certificate covers the public hostname.
Full chain is installed
Intermediate certificates are present.
Server can reach OCSP responder
Outbound access to the CA works.
DNS resolver works
Server can resolve OCSP hostnames.
CDN/proxy behavior is understood
Know where TLS terminates.
Web server supports stapling
Hosting or server stack allows it.
After enabling
Verify stapling is active from outside the server.
Service is reloaded
Configuration changes are applied.
Stapled response is visible
OpenSSL or SSL Checker shows OCSP status.
Response is fresh
OCSP response is current and valid.
Public hostname is checked
Test the URL visitors use.
Renewal does not break stapling
Re-test after certificate changes.
SSL scan is clean
No stapling-related warnings remain.
Nginx and Apache
OCSP stapling is commonly configured in web server SSL settings.
ssl_stapling on;
ssl_stapling_verify on;
SSLUseStapling on
Exact configuration depends on server version, certificate chain, resolver settings and hosting environment. Managed hosting or CDN providers may handle stapling automatically.
CDN behavior
When a CDN is used, visitors usually connect to the CDN edge certificate. In that case, OCSP stapling may be controlled by the CDN rather than the origin server.
- Public CDN hostname
- CDN edge certificate
- Origin certificate separately if needed
- CDN SSL/TLS settings
- Whether the CDN automatically manages OCSP stapling
If the CDN handles TLS, the origin server’s OCSP stapling status may not be what visitors experience.
Check examples
openssl s_client -connect example.com:443 -servername example.com -status
Look for:
OCSP response: no response sent
or:
OCSP Response Status: successful
openssl s_client -connect example.com:443 -servername example.com -showcerts
curl -I https://example.com
ssl_stapling on;
ssl_stapling_verify on;
SSLUseStapling on
These examples are illustrative. Replace example.com with your real hostname and adjust configuration for your server or CDN.
Frequently asked questions
What is OCSP stapling?
OCSP stapling lets a server include a certificate revocation status response during the TLS handshake.
Does OCSP stapling make SSL more secure?
It improves how revocation status is delivered, but it does not replace certificate validation or fix certificate errors.
Is OCSP stapling required?
Not always. It is recommended for stronger TLS posture, but expired certificates, hostname mismatch and old TLS versions are usually more urgent.
Why is OCSP stapling missing?
The server or CDN may not support it, it may not be enabled, or the server may not be able to fetch the OCSP response.
Does a CDN handle OCSP stapling?
Often yes. If TLS terminates at the CDN, the CDN may manage OCSP stapling for the edge certificate.
Can OCSP stapling fail after certificate renewal?
Yes. Chain changes, server reload issues or CA responder access problems can affect stapling after renewal.
Is OCSP the same as certificate expiry?
No. OCSP checks whether a certificate was revoked before expiry. Expiration is a separate certificate validity check.
Related tools
Use these free tools to verify your configuration after applying changes.
Related guides
Browse all SSL & HTTPS guides →Need help applying this fix?
Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.
Was this guide helpful?
Your feedback helps us improve our guides for everyone.
Thanks for your feedback!