What Is OCSP Stapling and How Does It Speed Up SSL?

OCSP stapling is a TLS extension that solves the privacy and performance problems of traditional OCSP checking. Instead of the browser contacting the CA's OCSP server, your web server does it — and caches the signed response.

The Problem with Classic OCSP

In standard OCSP, the browser sends the certificate's serial number to the CA's OCSP responder on every new connection. This leaks your browsing activity to the CA and adds latency. If the OCSP server is slow or unreachable, browsers either block the connection or silently skip the check (soft-fail), weakening revocation enforcement.

How Stapling Works

1. Your web server periodically fetches a signed OCSP response from the CA for its own certificate.
2. The server caches the response (valid for the period specified in the response, usually hours to days).
3. During the TLS handshake, the server includes the cached OCSP response alongside the certificate.
4. The browser verifies the CA's signature on the OCSP response — no external request needed.

Enabling OCSP Stapling on Nginx

ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

Also ensure your server has the full certificate chain configured — Nginx needs the chain to build and cache the OCSP response correctly.

Enabling on Apache

SSLUseStapling on
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

OCSP Must-Staple

The OCSP Must-Staple extension (TLS Feature extension, OID 1.3.6.1.5.5.7.1.24) tells browsers to reject the connection if no stapled OCSP response is provided. This hardens revocation enforcement but requires reliable stapling on your server — if stapling breaks, your site becomes unreachable.

Checking a Certificate's OCSP URL

Decode any certificate with the SSL Certificate Decoder to find the OCSP responder URL in the Authority Information Access extension — that's the endpoint your server queries when stapling is enabled.