OCSP Stapling Explained: Faster and More Private Revocation

Q: How do I test whether stapling is enabled?

Run openssl s_client -connect host:443 -servername host -status and look for OCSP Response Status: successful. If you see "no response sent", stapling is not active or not yet warmed up.

When a browser needs to check whether a certificate has been revoked, it normally costs an extra lookup at the CA — slow, and it tells the CA exactly which sites you visit. OCSP stapling turns this around: the server fetches the proof in advance and delivers it itself in the handshake. Here is how it works, why it is both faster and more private, and how to enable it.

Short answer

OCSP stapling lets the web server itself fetch a signed, time-stamped revocation response from the CA in advance and attach ("staple") it to the TLS handshake. The client thus gets the proof that the certificate is not revoked directly from the server — without contacting the CA itself. It is both faster (no extra lookup in transit) and more private (the CA does not see who visits the site). The proof is fresh because the server refreshes it continuously.

Background: how is revocation normally checked?

A certificate can be revoked before expiry — for instance if the private key leaks. To know this, the client must check the certificate's status. The classic way is OCSP (Online Certificate Status Protocol): the browser asks the CA's OCSP server "is this certificate still valid?". This has two problems, which we also touch on in OCSP revocation explained: it is an extra network lookup that delays the connection, and the CA learns which site you are about to visit.

How stapling works

Stapling moves the lookup from the client to the server:

The server itself periodically asks the CA's OCSP server about its own certificate's status.
The CA replies with a signed, time-stamped OCSP response, valid for a period (typically hours to days).
The server caches the response and attaches it to every TLS handshake in an extension.
The client verifies the CA signature on the attached response — and does not need to contact the CA itself.

Because the response is signed by the CA, the server cannot forge it. And because it is time-stamped and valid for only a short time, it is genuinely fresh. The handshake in which the response is delivered is covered in the TLS handshake explained.

The two benefits

Performance: The client avoids an extra round-trip to the CA's (often slow or distant) OCSP server. The status arrives in the handshake it is already performing.
Privacy: Without stapling, every OCSP lookup tells the CA which site the client is about to visit. With stapling, the server makes the lookup on behalf of all its users at once — the CA sees only the server, not the individual visitors.

How to enable it — nginx

ssl_stapling on;
ssl_stapling_verify on;
# resolver is used to look up the CA's OCSP host
resolver 1.1.1.1 8.8.8.8 valid=300s;
ssl_trusted_certificate /etc/ssl/example.com/chain.pem;

ssl_stapling_verify on makes nginx verify the CA's signature on the OCSP response before attaching it, and ssl_trusted_certificate must point at the chain so the verification can happen. Reload with nginx -t && systemctl reload nginx.

Verify that stapling works

openssl s_client -connect example.com:443 -servername example.com -status 2>/dev/null \
  | grep -A 17 "OCSP response"

If you see OCSP Response Status: successful and a Cert Status: good, the server delivers a valid stapled response. If you see no response sent, stapling is either not enabled or not yet warmed up (the first response is cached on the first handshake).

A note on must-staple

Stapling is "best effort" by default: if the server's OCSP lookup fails, the proof is simply skipped. A certificate can, however, be issued with the OCSP Must-Staple flag, which requires that a valid stapled response is always present — otherwise the client rejects the connection. This increases security but makes the server dependent on stapling never failing, and should therefore only be used with solid monitoring.

How CertControl helps

CertControl negotiates a real handshake against each endpoint and can see whether the server delivers a valid stapled OCSP response — alongside the certificate's validity, the completeness of the chain and the chosen protocol. Together with expiry monitoring, this gives you a complete picture of each TLS configuration from the outside, exactly as a real client sees it.

Frequently asked questions

What is the difference between OCSP and OCSP stapling?

With plain OCSP the client itself contacts the CA to check the certificate's status. With stapling the server fetches a signed response in advance and delivers it in the handshake, so the client avoids the lookup — faster and more private.

Why is stapling better for privacy?

Without stapling, every OCSP lookup reveals to the CA which site the client is about to visit. With stapling the server makes the lookup on behalf of all its visitors at once, so the CA sees only the server, not the individual users.

Can the server forge a stapled OCSP response?

No. The response is signed by the CA and time-stamped, and the client verifies the signature. The server can only relay a genuine, fresh response from the CA — it cannot create one itself.

What is OCSP Must-Staple?

A flag in the certificate that requires a valid stapled OCSP response to always be present, otherwise the connection is rejected. It increases security but makes the server dependent on stapling never failing — use only with good monitoring.

How do I test whether stapling is enabled?

Run openssl s_client -connect host:443 -servername host -status and look for OCSP Response Status: successful. If you see "no response sent", stapling is not active or not yet warmed up.

See the platform Book a demo

What is OCSP stapling?