OCSP Stapling

OCSP Stapling
Bruce Morton

Digital certificate status is provided by the certificate revocation list (CRL) and online certificate status protocol (OCSP). The CRL is a list of all certificates that have been revoked. If the serial number is not on the list it is assumed to be good. OCSP provides a response for all certificates. In layman’s terms, the response is either good or bad.

There are debates as to which method is the most valuable. By rights, it really comes down to the certification authority (CA) and the user’s site access methodology. If the CA revokes a lot of certificates and thus manages a large CRL, then CRL is bad; the large file takes a long time to download.

If the user is using a mobile device, then they may not want to download a large file and may not have the room to store the file. As such, as we move into the mobile world, it appears that OCSP is the favored methodology. For more information on OCSP, please see this pair of memos from the Internet Engineering Task Force (IETF): RFC 5019 and RFC 6960.

OCSP responses can be provided in two ways.

  1. The most common method is for the CA to operate an OCSP service. When a browser wants to find out the status of the certificate, it finds the OCSP site from an extension in the certificate and checks to see if the certificate is good or bad. This requires the browser to rely on a service being provided by the CA.Unfortunately, some CAs are not good at providing their OCSP responses. In some cases, there is no service and in other cases the service is just way too slow. Slow service means it provides latency on the website as it tries to load up.
  2. The second alternative is OCSP stapling. In OCSP stapling, the Web server obtains the OCSP response from the CA. When a browser comes to the site, the OCSP response is stapled to the SSL handshake. This means there is no extra connection to the CA’s OCSP service. The result is less latency and a faster loading website.It also allows the website owner to manage their own performance by increasing the throughput of their servers as their website gets more popular. There is also upside for the CA, as it does not have to compensate for additional performance for highly active websites.

If you are running a website and want to decrease latency, consider implementing OCSP stapling. You will have to find out if your server supports stapling. The following support OCSP stapling:

  • Apache 2.3.6+
  • Microsoft IIS 7+, where stapling is enabled by default
  • NginX  1.3.7+
Bruce Morton
Bruce Morton
Director, Certificate Technology & Standards

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.

1 Comment

Add to the Conversation