How is OCSP Stapling used in practice?

See real-world examples and code snippets on the OCSP Stapling glossary page at CDN Certified.

OCSP Stapling

Security

Server-side fetching and stapling of certificate revocation status into the TLS handshake. Eliminates the client's need to contact the CA's OCSP responder, saving one RTT and improving privacy.

Updated Mar 9, 2026

Full Explanation

When a browser connects via TLS, it should check whether the server's certificate has been revoked. Without stapling, the browser has to make a separate OCSP (Online Certificate Status Protocol) request to the certificate authority. That's an extra DNS lookup, TCP connection, and HTTP request—adding 100–300ms to the TLS handshake.

OCSP stapling moves this responsibility to the server. The CDN edge periodically fetches the OCSP response from the CA and includes ("staples") it in the TLS handshake. The client gets the revocation status immediately without any extra round trips. It also improves privacy because the CA doesn't learn which sites the user visits.

For CDN performance, OCSP stapling is a low-effort win. It shaves an RTT off the first connection for users whose browsers check revocation status. Most CDN providers enable it by default, but if you run your own edge infrastructure, you need to configure it explicitly.

Examples

Nginx OCSP stapling configuration:

server {
    listen 443 ssl;

    ssl_certificate     /etc/ssl/cdn.example.com.crt;
    ssl_certificate_key /etc/ssl/cdn.example.com.key;

    # Enable OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/ssl/chain.pem;

    # DNS resolver for OCSP responder lookups
    resolver 1.1.1.1 8.8.8.8 valid=300s;
    resolver_timeout 5s;
}

Verifying OCSP stapling:

# Check if stapling is active
openssl s_client -connect cdn.example.com:443 \
    -status -servername cdn.example.com 2>/dev/null \
    | grep -A 5 "OCSP Response"

# Expected output:
# OCSP Response Status: successful (0x0)
# OCSP Response Data:
#     Response Status: good
#     This Update: Mar 01 00:00:00 2026 GMT

Video Explanation

Frequently Asked Questions

Server-side fetching and stapling of certificate revocation status into the TLS handshake. Eliminates the client's need to contact the CA's OCSP responder, saving one RTT and improving privacy.

Nginx OCSP stapling configuration:

server {
    listen 443 ssl;

    ssl_certificate     /etc/ssl/cdn.example.com.crt;
    ssl_certificate_key /etc/ssl/cdn.example.com.key;

    # Enable OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/ssl/chain.pem;

    # DNS resolver for OCSP responder lookups
    resolver 1.1.1.1 8.8.8.8 valid=300s;
    resolver_timeout 5s;
}

Verifying OCSP stapling:

# Check if stapling is active
openssl s_client -connect cdn.example.com:443 \
    -status -servername cdn.example.com 2>/dev/null \
    | grep -A 5 "OCSP Response"

# Expected output:
# OCSP Response Status: successful (0x0)
# OCSP Response Data:
#     Response Status: good
#     This Update: Mar 01 00:00:00 2026 GMT

Previous Term Negative Caching

Next Term Origin

Back to Glossary