OCSP stapling is a method for quickly and safely determining whether or not an SSL certificate is valid. It allows a web server to provide information on the validity of its own certificates rather than having to request the information from the certificate’s vendor.

Graphic for OCSP stapling by MaxCDN.


Although encrypted web traffic protects users, it requires additional steps to verify integrity and confidentiality. One of these steps is determining whether or not the SSL certificate used to secure a website is still valid, or whether it has expired or been revoked.

The only way to verify the current status of a certificate is to ask its vendor. Since the vendor maintains key information about the certificate including expiration date and any actions performed on the certificate, browsers ensure user safety by requesting certificate information from the vendor instead of from the web server.

How OCSP Stapling Works

The Online Certificate Status Protocol (or OCSP) is a way for a web browser to determine the validity of an SSL certificate by verifying with the vendor of the certificate. While OCSP improves security, it causes websites to load slower since the browser has to communicate with the web server and the vendor. With OCSP stapling, the web server downloads a copy of the vendor’s response which it can deliver directly to the browser.

Here’s a rundown of how OCSP stapling works:

  1. A web server hosting an SSL-encrypted website queries the certificate vendor. The vendor responds with the status of the certificate and a digitally signed time-stamp. Digitally signing the response makes it difficult for the web server to modify it.
  2. When a web browser connects to the server, the server bundles (or “staples”) the vendor’s signed time-stamp with the SSL certificate.
  3. The browser verifies the time-stamp. Since the time-stamp is signed by the vendor, the browser can trust the time-stamp to provide a valid status.
  4. Based on the OCSP response, the browser either opens the page or shows an error message to the user.

OCSP stapling shifts the burden of handling OCSP requests from certificate vendors to web hosts. By doing so, it helps SSL connections perform faster while preventing users from transmitting sensitive browsing information to third parties.

Example of OCSP Stapling

Say a user decides to visit Since the website is SSL encrypted, the status of the certificate needs to be determined by the certificate’s vendor (in this case, With plain OCSP, the browser would query GoDaddy directly, resulting in a slower load time. Additionally, the user would have to provide GoDaddy with MaxCDN’s URL, which allows GoDaddy to determine who browsed which site at which time.

With OCSP stapling, MaxCDN periodically queries GoDaddy and caches a response which is then provided to the browser. The age of the response is verified by the time-stamp and the vendor’s digital certificate, preventing the server from tampering with the response. More importantly, OCSP stapling allows the website to load faster while ensuring the user’s privacy.

Benefits of OCSP Stapling

OCSP stapling ensures the safety and privacy of confidential data with minimal intervention from web hosts.

  • Users experience faster load times for secure content since their browsers have to make fewer third party requests.
  • Enterprises see higher customer satisfaction since secure content can be delivered to users more quickly.

Enabling OCSP Stapling

OCSP stapling is supported by most modern web browsers and is enabled by default in IIS. For Apache and Nginx, enabling OCSP stapling requires additional directives in the site’s virtual host file.

For Apache, an additional SSLStaplingCache directive defines the location where the cached response is stored. Detailed instructions can be found here for Apache and here for Nginx.


With the increasing severity of attacks on the web’s infrastructure, enterprises need to find ways to increase security without impacting the user experience. As of May 2013, only 21% of SSL certificates included OCSP responses. Adding OCSP stapling can improve security while giving a business a performance boost over its competitors.

In the digital world, there are very few opportunities to simultaneously improve security and performance. OCSP stapling makes it easy to do both.

  • Aleksey Chemakin

    “​The vendor responds with the status of the certificate and a digitally signed time-stamp.”

    I do not understand how signed timestamp is related to a certain certificate. I think CA must sign serial number + timestamp and not only timestamp.

    • Ivan Dabic


      To be more precise, it’s been predefined by RFC-2560 and the items in response are:

      1. version of the response syntax
      2. name of the responder
      3. responses for each of the certificates in a request
      3.1 target certificate identifier
      3.2 certificate status value
      3.3 response validity interval
      3.4 optional extensions
      4. optional extensions
      5. signature algorithm OID
      6. signature computed across hash of the response