SSL & HTTPS Guides

OCSP Stapling: Faster Revocation Checks

Learn what OCSP stapling is, how it speeds up certificate revocation checks, and when it matters for HTTPS performance and security.

By CheckDomainHealth Editorial Team Reviewed by Dionis Ceban Updated Jun 28, 2026 8 min read Advanced

Introduction

OCSP, or Online Certificate Status Protocol, lets clients check whether an SSL/TLS certificate has been revoked before it expires. OCSP stapling improves this process by allowing the web server to attach a recent certificate status response during the TLS handshake.

Without stapling, a browser may need to contact the certificate authority’s OCSP responder separately. With stapling, the server provides the revocation status directly, which can reduce extra network requests and improve privacy.

Quick answer

Quick answer

OCSP stapling lets a web server include a fresh certificate revocation status response during the TLS handshake. It can reduce browser-side OCSP lookups, improve performance and reduce privacy leakage. It is useful, but it is an optimization rather than the first SSL issue to fix.

What is OCSP?

OCSP stands for Online Certificate Status Protocol. It is used to check whether an SSL/TLS certificate has been revoked before its normal expiration date.

  • The private key was compromised
  • The certificate was issued incorrectly
  • The domain owner requested revocation
  • The certificate authority found a problem
  • The certificate should no longer be trusted

OCSP is about certificate status. It is different from certificate expiration, hostname matching or certificate chain validation.

OCSP stapling

OCSP stapling allows the server to fetch a signed OCSP response from the certificate authority and “staple” it to the TLS handshake. The browser can then verify the stapled response without making a separate request to the CA’s OCSP server.

Without OCSP stapling
Browser  Website
Browser  CA OCSP responder
With OCSP stapling
Browser  Website, and website includes OCSP status

The stapled OCSP response must be fresh and valid.

Why it exists

OCSP stapling exists to make certificate revocation checks more efficient.

  • Fewer extra browser requests
  • Faster TLS handshake in some cases
  • Less dependency on CA OCSP responder availability
  • Improved user privacy
  • Cleaner SSL/TLS security scans
  • Better behavior for high-traffic HTTPS sites

OCSP stapling does not replace a valid certificate, correct hostname coverage or a complete certificate chain.

Privacy

Without stapling, a browser may contact the certificate authority’s OCSP responder to ask about the certificate status. This can reveal that a user is visiting a particular certificate or site.

With stapling, the server provides the OCSP response directly, so the browser usually does not need to contact the CA for that check.

This is one reason OCSP stapling is often considered a privacy and performance improvement.

When it matters

High-traffic websites

Can reduce extra client-side revocation lookups.

Security-sensitive sites

Useful for cleaner TLS posture.

Performance-sensitive sites

Can reduce extra latency in some scenarios.

Enterprise or compliance scans

May be flagged as recommended by SSL audit tools.

CDN and proxy setups

May be handled at the CDN edge instead of the origin server.

For small websites, OCSP stapling is useful but usually less urgent than fixing expired certificates, hostname mismatch, weak TLS versions or redirect issues.

Why this matters

Why this matters

OCSP stapling matters because certificate revocation is part of HTTPS trust. A certificate can be technically unexpired but still revoked. Stapling helps browsers receive revocation status more efficiently during the TLS handshake.

However, OCSP stapling is not a cure-all. It will not fix an invalid certificate, expired certificate, wrong hostname, incomplete chain or mixed content.

How to check OCSP

Use SSL Checker or OpenSSL to check whether the server sends a stapled OCSP response.

When checking OCSP stapling, review

These six checks help confirm stapling is working correctly.

Stapling status

Confirm whether a stapled OCSP response is present.

Response freshness

Check whether the OCSP response is current and valid.

Certificate chain

Confirm the certificate chain is complete.

CDN behavior

Check the public hostname, especially if a CDN or proxy is used.

Origin behavior

If needed, check the origin server separately.

Server logs

Review web server logs if stapling fails to fetch OCSP responses.

Check OCSP stapling

Use SSL Checker to inspect certificate status, chain and OCSP stapling support.

Run SSL Check →

Common problems

OCSP stapling not enabled

Low

The server does not include a stapled OCSP response.

Next step: Enable OCSP stapling in the web server, hosting panel or CDN if supported.

OCSP response expired

Medium

The stapled response is present but no longer fresh.

Next step: Check server OCSP cache, resolver access and renewal behavior.

Server cannot reach OCSP responder

Medium

The web server cannot fetch revocation status from the certificate authority.

Next step: Check outbound firewall, DNS resolution and CA responder connectivity.

Incomplete certificate chain

Medium

OCSP stapling may fail if the server cannot build the correct issuer chain.

Next step: Install the full certificate chain.

CDN handles stapling differently

Low

The CDN edge may provide OCSP stapling even if the origin does not, or the reverse.

Next step: Check the public CDN hostname and origin separately if needed.

Stapling enabled but not visible

Medium

The server configuration may be incomplete or not reloaded.

Next step: Reload the web server and re-test externally.

Confusing OCSP with renewal

Low

OCSP stapling checks revocation status, not certificate renewal.

Next step: Check certificate expiry separately with SSL Checker.

How to enable it

  1. Step 1: Confirm certificate and chain are valid

    Fix certificate expiry, hostname mismatch and incomplete chain before focusing on OCSP stapling.

  2. Step 2: Identify where HTTPS terminates

    Check whether TLS is served by hosting, Nginx, Apache, LiteSpeed, CDN, reverse proxy or load balancer.

  3. Step 3: Enable OCSP stapling where supported

    Use your web server, hosting panel or CDN SSL/TLS settings.

  4. Step 4: Allow outbound OCSP access

    Make sure the server can resolve DNS and reach the certificate authority’s OCSP responder.

  5. Step 5: Reload the service

    Reload Nginx, Apache, LiteSpeed, CDN configuration or proxy service after changes.

  6. Step 6: Re-test externally

    Use SSL Checker or OpenSSL to confirm a stapled OCSP response is present.

  7. Step 7: Monitor renewal and chain changes

    After certificate renewal, confirm OCSP stapling still works.

Before enabling

Confirm these items before turning on OCSP stapling.

Certificate is valid

Expiry and hostname are correct.

Hostname matches

Certificate covers the public hostname.

Full chain is installed

Intermediate certificates are present.

Server can reach OCSP responder

Outbound access to the CA works.

DNS resolver works

Server can resolve OCSP hostnames.

CDN/proxy behavior is understood

Know where TLS terminates.

Web server supports stapling

Hosting or server stack allows it.

After enabling

Verify stapling is active from outside the server.

Service is reloaded

Configuration changes are applied.

Stapled response is visible

OpenSSL or SSL Checker shows OCSP status.

Response is fresh

OCSP response is current and valid.

Public hostname is checked

Test the URL visitors use.

Renewal does not break stapling

Re-test after certificate changes.

SSL scan is clean

No stapling-related warnings remain.

Nginx and Apache

OCSP stapling is commonly configured in web server SSL settings.

Nginx example
ssl_stapling on;
ssl_stapling_verify on;
Apache example
SSLUseStapling on

Exact configuration depends on server version, certificate chain, resolver settings and hosting environment. Managed hosting or CDN providers may handle stapling automatically.

CDN behavior

When a CDN is used, visitors usually connect to the CDN edge certificate. In that case, OCSP stapling may be controlled by the CDN rather than the origin server.

  • Public CDN hostname
  • CDN edge certificate
  • Origin certificate separately if needed
  • CDN SSL/TLS settings
  • Whether the CDN automatically manages OCSP stapling

If the CDN handles TLS, the origin server’s OCSP stapling status may not be what visitors experience.

Check examples

Check stapled OCSP response
openssl s_client -connect example.com:443 -servername example.com -status

Look for:
OCSP response: no response sent

or:
OCSP Response Status: successful
Check certificate chain
openssl s_client -connect example.com:443 -servername example.com -showcerts
Check HTTPS
curl -I https://example.com
Example Nginx directives
ssl_stapling on;
ssl_stapling_verify on;
Example Apache directive
SSLUseStapling on

These examples are illustrative. Replace example.com with your real hostname and adjust configuration for your server or CDN.

Frequently asked questions

What is OCSP stapling?

OCSP stapling lets a server include a certificate revocation status response during the TLS handshake.

Does OCSP stapling make SSL more secure?

It improves how revocation status is delivered, but it does not replace certificate validation or fix certificate errors.

Is OCSP stapling required?

Not always. It is recommended for stronger TLS posture, but expired certificates, hostname mismatch and old TLS versions are usually more urgent.

Why is OCSP stapling missing?

The server or CDN may not support it, it may not be enabled, or the server may not be able to fetch the OCSP response.

Does a CDN handle OCSP stapling?

Often yes. If TLS terminates at the CDN, the CDN may manage OCSP stapling for the edge certificate.

Can OCSP stapling fail after certificate renewal?

Yes. Chain changes, server reload issues or CA responder access problems can affect stapling after renewal.

Is OCSP the same as certificate expiry?

No. OCSP checks whether a certificate was revoked before expiry. Expiration is a separate certificate validity check.

Use these free tools to verify your configuration after applying changes.

Browse all SSL & HTTPS guides →

Need help applying this fix?

Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.

Get Help Run Domain Health Check

Was this guide helpful?

Your feedback helps us improve our guides for everyone.