OCSP Stapling

ServerPilot automatically enables OCSP stapling for all SSL-enabled apps, including apps using AutoSSL certificates and apps using SSL certificates purchased from your own certificate authority (CA).

What is OCSP Stapling?

OCSP stapling is a very fast and efficient way for browsers to obtain confirmation that the SSL certificate a web server presented to them has not been revoked by the CA that issued the certificate. Using OCSP stapling decreases the total time it takes for a browser to establish a secure connection with a web server.

With OCSP stapling, the web server itself obtains a cryptographically signed statement from the CA that an SSL certificate has not been revoked. The web server keeps this statement, called the OCSP response, and includes it with the rest of the certificate information it sends to a web browser when a web browser initiates an SSL connection with the web server. By "stapling" the CA's OCSP response to the rest of the certificate information, the web server saves the web browser from having to make an extra request to the CA to check if the certificate has been revoked.

The OCSP response is only valid for a short period of time, so the web server will regularly obtain a new OCSP response from the CA.

History of SSL Certificate Revocation Checking

Before modern web browsers began supporting OCSP stapling in 2013, web browsers would need to make their own Online Certificate Status Protocol (OCSP) request directly to the CA's OCSP responder (the URL of the CA's OCSP responder is included in the SSL certificate). However, that added an extra request and response that a web browser would need to make at the beginning of an SSL session. This extra request and response could add a few hundred milliseconds of slowness when opening an SSL connection.

Going back even further to before OCSP existed at all, certificate revocation checks were done using Certificate Revocation Lists (CRLs). These were giant lists maintained by each CA of all certificates they had issued that had been revoked. Because this approach was so cumbersome, many browsers at the time did not perform certificate revocation checks at all.

What Is SSL Certificate Revocation?

In reading about OCSP stapling, you may wonder, "Why would an SSL certificate be revoked? Isn't that the same thing as expired?"

SSL certificate revocation is not the same thing as the certificate's expiration. An SSL certificate's expiration date is a date built into the certificate that indicates the date after which browsers should no longer accept the certificate. If a browser encounters an expired certificate, it doesn't trust it and so the browser does not need to check if the certificate is revoked.

Certificate revocation is different. Anytime you reissue a certificate through a CA, the CA revokes the previously issued certificate. For example, if you paid for a one year certificate but six months later you lost your certificate's private key, you can request your CA reissue your certificate using a new private key and CSR. The CA will issue you a new certificate valid for six months (the remaining time you'd paid for) and will revoke your previous certificate so that if anybody else had that private key and certificate, browsers wouldn't accept it.

Certificates are also revoked by CAs if you report the private key to the CA as having been stolen or if the CA accidentally issues certificates it should not have.

Last updated: October 05, 2016